This is on a 4500X running 03.08.06.E
There doesn't seem to be a cookie option under the deny statements in an extended ip access-list.
ip access-list extended FOO
switch01(config-ext-nacl)#permit ip any object-group BLOCKED log ?
WORD User defined cookie (max of 64 char)
dscp Match packets with given dscp value
fragments Check non-initial fragments
option Match packets with given IP Options value
precedence Match packets with given precedence value
reflect Create reflexive access list entry
time-range Specify a time-range
tos Match packets with given TOS value
<cr>
switch01(config-ext-nacl)#deny ip any object-group BLOCKED log ?
dscp Match packets with given dscp value
fragments Check non-initial fragments
option Match packets with given IP Options value
precedence Match packets with given precedence value
time-range Specify a time-range
tos Match packets with given TOS value
<cr>
No "WORD" option shown.
Is this intentional or some sort of bug?