The last option is secure. Unlike the other options, this is just a flag and has no additional value specified. A secure cookie will only be sent to the server when a request is made using SSL and the HTTPS protocol. The idea that the contents of the cookie are of high value and could be potentially damaging to transmit as clear text. Sample:
Set-Cookie: name=Nicholas; secure
In reality, confidential or sensitive information should never be stored or transmitted in cookies as the entire mechanism is inherently insecure. By default, cookies set over an HTTPS connection are automatically set to be secure.
Actually, you want to disconnect the users and have them login again
After you switch to https, the cookies MUST be made "secure only", if you don't do that you leave the users vulnerable to different vectors of attacks that can steal cookies.
Take this two assumptions:
1) Cookies over HTTP can be sniffed since they are transmitted in clear text
2) Cookies over HTTPS are safe
Now notice this simple scenario
1) Webmaster sets redirection from http -> https
2) Cookies are set to be for both http and https
3) User still types in the browser http://yourdomain.com
4) Browser opens yourdomain.com, SENDS cookies, and is redirected to https://yourdomain.com
5) Browser opens the SSL site
By setting the cookies for both Http and Https you are putting the users at risk, since the cookies were sent in clear in step (4), even when using https, since that page is hit before the https because of the redirections, and this makes the content of the cookies available to the attackers. if xf_user is there, then the user can potentially use that to login to the site, or at least re-use the xf_session
That means all the cookies set for Http for any user of your site are potentially compromised, and switching to https will not help at all, only for the users that are logging in for the first time. But you can avoid further compromising user information by making sure the cookies are set to https only (the default in XenForo). If you wanted to be extra careful I would even change the $config['cookie']['cookie_prefix'] to force the users to start a fresh session.