Make sure you have the kernel parameter ForceHostP set to 1 when using ssl. This avoids situations where users have to login twice during a session (which happens when switching between domain and www.domain urls with https).
security::locations uses the domain that is configured in the config.tcl file. The domain needs to be consistent with it (and so assumes ForceHostP is set to 1 for secure connections.)
Also, use a recent version of the config.tcl file to make sure that the config settings are available for security::locations.