According to this thread CM 3.6.3 uses outdated Openfire class files which cause problems for https.
A new CM should always use the current Openfire classes.
Removing the 'fix version' for all unresolved issues that were scheduled for version 7.8.2. We're releasing this version today - the remaining issues should be rescheduled later.
Guus, Is this issue still valid?
The problem has gotten worse: over the last few years, Openfire has received a lot of modifications, but most of them never made it into the CM implementation.