This is the main control of a web application session using cookies, and OpenID does not matter here.
No, absolutely do not store the username and password in a cookie. Cookies act as “carrier tokens," which means that someone who has a cookie gets there. The best thing to store in a cookie is an irrefutable and arbitrary key, which you can use to search for real information in the table of your application. Thus, the user receives the cookie "myappsession" and the value "234871nb341adf" associated with your domain. Then your application will look for the value "234871nb341adf" in the local data store and see if it is associated with a valid user. Your best bet is also to check how long this user has been there and something else. If this is a valid session and it is within your time and usage limits, the user is automatically registered.
For additional paranoia on the RP side, you can use the checkid_immediate mode for OpenID to make a background call to see if the user is still connected to their IdP. If this is not the case, then at least you know which provider will try to send them for re-verification and can provide a better user interface.
If you want your site to be truly secure, you must complete all your sessions via HTTPS and mark your cookies as “Secure” and “HTTPOnly”, which is documented on the setcookie function manual page: http://php.net/manual /en/function.setcookie.php