The original cookie specification of Netscape (see this cached version) does not say anything about listing multiple cookie declarations.

But as of Set-Cookie as defined by RFC 2109 allows a comma separated list of cookie declaration:

Informally, the Set-Cookie response header comprises the token Set-Cookie:, followed by a comma-separated list of one or more cookies. Each cookie begins with a NAME=VALUE pair, followed by zero or more semi-colon-separated attribute-value pairs.

The same applies to Set-Cookie2 as defined by RFC 2965:

Informally, the Set-Cookie2 response header comprises the token Set-Cookie2:, followed by a comma-separated list of one or more cookies. Each cookie begins with a NAME=VALUE pair, followed by zero or more semi-colon-separated attribute-value pairs.

But since most user agents still follow Netscape’s original specification, I would rather suggest to just declare each cookie with its own Set-Cookie header field.

This is also what the latest RFC 6265 reflects:

Origin servers SHOULD NOT fold multiple Set-Cookie header fields into
a single header field. The usual mechanism for folding HTTP headers
fields (i.e., as defined in [RFC2616]) might change the semantics of
the Set-Cookie header field because the %x2C (",") character is used
by Set-Cookie in a way that conflicts with such folding.