Just set the cookie on exactly the same name, path and domain, but with an Expires value in the past. Optionally, set the value to null/empty-string, even if it’s just to save the bandwidth, it’s otherwise ignored anyway by the average client.
Note that setting on exactly the same path is important. Many starters fail in this by using only the same name and domain and relying on the current request URL for the default path.
From the RFC 6265 spec:
Finally, to remove a cookie, the server returns a Set-Cookie header
with an expiration date in the past. The server will be successful
in removing the cookie only if the Path and the Domain attribute in
the Set-Cookie header match the values used when the cookie was
created.
Using Max-Age=0 will also work with any spec-compliant user agent, but the spec dictates that a server “SHOULD” not do this. Per https://www.rfc-editor.org/errata/eid3430, this is apparently meant to maximise interoperability with non-compliant user agents that only support positive Max-Age values.