You need to find all pages where you build links with session parameters, and change all templates accordingly.

Just wondering since I know nothing about your site setup, are you using URI management fully? Did you make sure all the code on your site is not calling the sessionID but the URI management page instead? Did you do a find/replace on the site for any URI management code not loading the :secure; URI? Do you have any JavaScripts etc that call in the non-secure URI? Did you force your site to be HTTPS in your root htaccess? Tons of other what-if's here.

the pci scanner is https://www.pciapply.com unfortunatly it will not allow me to add attachments

What PCI scanner is doing that? It should be checking the cookie if its worried about whether they are secure or not.

You should publish a sanitized version of your domain settings. Might be an issue with the combination of settings.

The issue is the PCI scanner thinks the site is not using secure cookies because of this and fails the site. The site only allows HTTPS communication and cookies are only set on https. I would rather not post the url to the site as it is a site i am working on and this is the only issue i cannot resolve. i can send a screenshot of anything needed.

I'm not aware of any PCI issues with having session ids in the URL. Usually, they are removed because of SEO reasons (valid or not).

lifeisboost could you post a link to the site, please?