Probably because you've set up cookies on the main domain that are also valid for any subdomains. If you configure a cookie with domain=example.com, it will also be available to *.example.com. So you would either have to change the configuration of those cookies (won't invalidate previously set cookies though), or use a completely separate domain name (e.g. cdn-example.com) instead of a subdomain.
Also keep in mind that performance guidelines are just suggestions based on a fairly simple analysis of your page. Don't blindly follow them, they could slow you down. Use real user monitoring (RUM), like Site Speed in Analytics, or something like Webpagetest.org to measure results.
It's probably not a WordPress cookie, then. It could be Google Analytics*, but you'll want to be sure, so open the Developer Tools of your web browser and find the request headers of a resource on the "cdn" subdomain in the "Network" tab, then look for the "cookie" header. The values should give you a hint about their origin. There are also several cookie inspector browser add-ons available that you could use instead, if you're not familiar with the Developer Tools. You can also pull those headers from test results at Webpagetest.org.
* Analytics automatically sets its cookie "on the highest level domain it can. For example, if your website address is blog.example.co.uk, analytics.js will set the cookie domain to .example.co.uk." (source [developers.google.com]). You can optionally customize this, but find the culprit first.