I had similar issue, where I wanted to access protected stream urls by making two api calls. First was the login, which will generate the cookie and using that cookies I need to make play api call to get the stream. I struggled for couple of hours and then found this solution (with the help of my colleague).

function requestData(port as Object, url as String, cookie="" as Dynamic) as Object
    request = createObject("roUrlTransfer")
    request.setPort(port)
    request.setUrl(url)

    if cookie <> "" then
        request.addHeader("Cookie", cookie)
    end if

    request.setCertificatesFile("common:/certs/ca-bundle.crt")
    request.initClientCertificates()
    request.enableCookies()
    request.enableFreshConnection(true)
    request.retainBodyOnError(true)

    request.asyncGetToString()

    return request

End Function

Order of the AddHeader and enableCookies, matters a lot. I had the order other way round and it always slapped me with 403 (forbidden) error cause cookies were not set to the next http GET request.
Dont forget to EnableCookies on your video player as well as they both (roUrlTransfer and roVideoPlayer) shares the same inteface ifHttpAgent.