According to the Eagle book, the reason for the double MD5 is that there is a remote possibility that an expoit in the algorithm could be used to break the MD5.

One should always include a MAC when sending a cookie with any semi-useful or important data. Remember, NEVER TRUST THE CLIENT. :-)