This gets it done, consistent with your suggestion of probably needing the domain attribute blank.
setcookie( 'xf_user', '', time()-1, '/', '', false, false)
However, the httponly and secure attributes did not have to set to true.
Cookie rules defy reason.