It turns out, Safari will block “third party” cookies from domains you haven’t visited. This is a default Security setting.
If you authenticate against an API/service which is not in the domain, and get a session cookie, it will never be used it because Safari will not save it.
Isn’t that awesome?
The solution is to access the API/service from a sub-domain, e.g. “api.somedomain.com”. This should cause Safari to hold onto the cookie so it can be re-used for the CORS requests.