It looks like CanCan always assume a nested resource's parent has_many of the resource and structures its queries accordingly. As a result, nested has_one resources fail to load properly.
adding :singular option to support has_one associations in load/authorize resource - closed by 84f4c90
Once CanCan 1.3 is released you can use it like this.
class OrdersController < ActionController::Base
load_and_authorize_resource :order, :through => :cart, :singleton => true