Ram,
Just to follow up. I'm lucky enough to work with Sudarshan Paliwal who had researched the answer.
Apparently when copying from HP1 that meant everything on the backend, including Client 000 so the entry in HTTPURLLOC in client 000 was incorrect and still pointing to HP1.
Sudarshan found the following article which contained the helpful hint:
HTTPURLLOC in Client/Mandant 000
Usually the HTTPURLLOC table is only configured for the one specific client where the information is required. However, there is one additional case where this is not sufficient. When a special logon application, for example in 620 the BSP SYSTEM application or from 640 the ICF SYSTEM logon, is used, then the first part of the logon runs without any user of client information. This information only becomes avialable after a successful logon. Up to that point, all requests are processed in client 000! Thus, when any of these logon applications are used, and no access point information is available, the HTTPURLLOC table must also have entries in client 000 for the switch onto HTTPS to work.