The apache httpd module, mod_auth_josso, hardcodes for 'http://'. For the pass-back URL (JOSSO_BACK_TO). It should check to see what the in-bound scheme is and carry that over to the URL.
Submitted patch: https://sourceforge.net/tracker/?func=detail&aid=2786669&group_id=116854&atid=676234
Take a look at JIRA issue http://www.josso.org/jira/browse/JOSSO-140
Submitted patch:
https://sourceforge.net/tracker/?func=detail&aid=2786669&group_id=116854&atid=676234
Take a look at JIRA issue http://www.josso.org/jira/browse/JOSSO-140