Knut, this is a classic problem, which is indeed challenging and there are various possible solutions. I’ll let others propose what’s worked best for them.
But note first that you will NOT be able to detect cookie support on the very FIRST page request someone ever makes to your site, at least not from the server code alone. The problem is that when someone visits your site for the very first time, there will BE no session cookie (jsessionid, in your case). So Lucee (or ACF) would SET it, to be delivered in the first RESPONSE.
Only after they get that response and try to visit a second page could you even try to detect if the cookie was sent BACK. This was a more frequent challenge years ago when some people and orgs blocked all cookies. It’s now returned with some choosing to reject a given site’s cookies when offered via the pop-ups made popular by the gdpr. (It’s not as much affected by third-party cookie issues, as your site would be a first party.)
So bottom line, you need to have sent a response to be able to test if you got it…and that’s challenging.
While some good news is that modern browsers offer Javascript properties reporting cookie support, again you need to send the js code to the browser and have it execute in order to detect that, so it doesn’t really help with the VERY first page request. But you can play tricks with iframes, frameworks, etc. Again, I’ll leave it to others to elaborate on what’s worked well for them.
I just wanted to address first these foundational technical points. And finally, you ask about onsessionstart but you don’t show using it. To be clear, that WOULD show a cookie.jsessionid, but that would be reflecting what Lucee/ACF had SET a) in memory for that first request AND b) as a header which would be sent to the browser in response to that. Again you could NOT use that variable’s presence to know if the cookie was sent FROM the browser. FWIW, the cookies coming IN on a request can be found in the cgi scope’s http_cookie variable.
Hope all that’s helpful. Sorry it couldn’t be a Twitter/Slack-sized reply. Maybe someone else will do that job better, or can with these details our of the way. 