The combination is an interesting idea. I don’t think the setting would need three states though. What about the following?
The initial release of this change adds a setting CSRF_COOKIE_SIGNATURE_REQUIRED that defaults to False. All new CSRF cookies are created signed. If this setting is False, Django accepts both signed and unsigned CSRF cookies. If this setting is True, Django only accepts signed cookies.
In a subsequent major release, the CSRF_COOKIE_SIGNATURE_REQUIRED flag is changed to default to True and is deprecated. It can eventually be removed, with the True behavior of this flag becoming the only code pathway.