(added @Anomie because I'm not sure if the following comment of his in CookieSessionProvider::sessionDataToExport() indicates my proposal is wrong.)
// If we're calling the legacy hook, we should populate $session // like User::setCookies() did.
While working to solve a problem with VisualEditor, I discovered that the UserID and UserName cookies are not set when using PluggableAuth.
This problem occurs if you are using SSO which does not call a (MediaWiki-managed) login form since $user->setCookies() is only called in a few places SpecialChangePasswordPreAuthManager::attemptReset(), LoginFormPreAuthManager::processLogin(), and ApiLogin::execute().
Since the SSO system I'm coding against (CA's SiteMinder) depends on http headers, and the api uses User's loadFromSession, my SSO system can't authenticate VE users (since the headers SSO uses aren't passed in, but the UserID and UserName cookies are.
It may be that the $user->setCookies() call should happen in my use of PluggableAuth, not in PluggableAuth, but users of PluggableAuth should be aware of the potential problem.