From my point of view, a possible compromise of their news site CMS sees like a much less serious threat than phishing, so this seems like a bad tradeoff. If you're worried that cookie scoping will get broken, maybe you could have the news site CMS raise an alert if it sees PayPal-session-token cookie names.