Some components of the identity stack need to verify the user connected via SSL.
If you are proxying connections through OHS to your OAM servers you can set up OHS to terminate SSL and pass through the connection to OAM (usually running on port 14100). But there is a little trick that is needed to tell Weblogic that the connection is secure - even though it may be coming in over a non secure port (14100).
Chris Johnson has a comprehensive write up on SSL offloading which covers the more complex scenario where an external load balancer is doing the termination.
The recipe I describe here is for the simpler case where OHS is terminating SSL and forwarding the connections to OAM vi the mod_weblogic plugin.
First validate that your Weblogic domain has the Weblogic Plugin enabled (see Chris's article above). I found that it was enabled by default. YMMV.
Login to /oamconsole and navigate to
System Configuration -> Access Manager -> Access Manager Settings
Edit your load balancer settings to enable SSL. Here is an example:
Note that the server host and port are your OHS instance (not the OAM server / port number).
Restart the oam_server1 managed server for this change to take effect.
Now edit your mod_wl_ohs.conf in your OHS instance and set the "WLProxySSL" to ON for OAM and OAAM:
Restart your OHS instance.
Try to go to a protected resource. You should be redirected to the OAM login page over an SSL connection.