I'm using rest-client 1.6.7 and on Ruby 1.8.7.

CGI::Parse already unescapes the cookie. In AbstractResponse, rest-client escapes it again. In Request, it unescapes it before sending it out over the wire. While the escape and unescape in rest-client matches, there's an extra unescape from CGI::Parse. Therefore the cookie is set in the request header unescaped.