Parent has hit the nail right on the head. I used to work on Facebook games for an indie games company and now I'm in charge of 'doing Facebook' for another company and so cross domain Iframe cookie problems are something I come across a lot. Maintaining user sessions inside iframes isn't straightforward.
Relatively recently, Facebook updated their apps platform so that app iframes to 3rd party sites are POSTed to via JavaScript to avoid safari's limitation on accepting 3rd party cookies. Previously the work around was to have some js in your page that would post to itself - both methods trick safari into thinking the user actively navigated to the Iframe and so should accept cookies.
Facebook have yet to implement a trick to make ie accept 3rd party cookies and so the widely used work around is use either a genuine or dud p3p header.
Yes, these hacks and workarounds are nasty and yes they're bad for standards - but if browser vendors insist on such privacy controls they need to make it much more user friendly for users to whitelist sites. Most of users we get through Facebook don't know what cookies are - they just want our apps to work. Blocking cookies without even prompting the user is not the way forward.
This isn't advertising, it's reporting the news.
Should
Work expands to fill the time available. -- Cyril Northcote Parkinson, "The Economist", 1955