Since no one has actually answered the question, just suggested workarounds. (Which are probably better, if you are in the right circumstances to use them.) I experimented to find the characters that caused issues. I tested all punctuation available on a standard US keyboard. I also tested space and (horizontal) tab. I did not test any extended Unicode punctuation, nor control characters.

The characters I found to cause problems in Rails 3.2.9, using webrick and the composite_primary_keys gem are:

,/.%

To validate that a field contains none of these characters:

validates :field_name, :format => { :with => /\A[^,\/\.%]*\z/, 
  :message => "commas, slashes, periods, and percent signs (,/.%) are not allowed"}

Many of the other characters I tried are not valid directly in URLs, but Rails automatically URL encodes them so they do not cause an issue.

As mentioned in the comments on the original question, some of these characters can be enabled by configuring Rails other than the defaults, but in doing so you will disable other features of Rails. To enable them you need to add :constraints or :id settings in your route definition.

I have not completely tested enabling all these characters, but I believe the consequences are:

Ch  Consequence of enabling use
--  ---------------------------------------
,   Must not use gem composite_primary_keys
/   Limits ability to route to child items
.   Disables automatic format handling
%   Not sure this can be enabled