...
To diagnose looping problems, you need to review the FlowsAndConfig topic that outlines the general sequence of events in a standard Shibboleth interaction, including what cookies are generally created and when they have to be read back in. The green tip boxes in the page will help you spot these points in the process.
...
Only give up on the cookieProps change as a last resort. I'm not aware of any situations in which one of the above mechanisms won't work, and the additional protection of limiting the cookie to SSL is substantial. It's only omitted by default because so many people end up with loops and complain to the support list.
Requests bouncing without scheme change
If Apache 2.4 is involved, check the Apache Virtual Host. If the protected <Directory> or <Location> has a
Require all granted
directive, remove it and restart Apache.