When single sign-on is enabled and access is via HTTPS some items are insecure resulting in browsers warnings, or worse. Verified in admin section.
Around line 243 of domain-mapping.php $url is set. Hard coded to HTTP only.
This URL is then used to render the stylesheet_for_cookie.
This is particularly problematic when using WP core config FORCE_SSL_ADMIN or FORCE_SSL_LOGIN.
A similar problem exists in multi-domains plugin too as it uses the same technique ($url is set around line 1123 of multi-domains.php).