If includeSubDomains is set for HSTS, does that mean that a cert for https://foo.com/ is required instead of https://www.foo.com/ in order to protect cookies set for foo.com and under?

It's not clear to me from what docs that I have been able to find.