not sure I understand. These are corp users at home using dialing in with VPN. If they do not have the corp cert on the device they need to get routed to onboard their home device (win/mac).
as for https, are you suggesting they manually go to a captive portal to onboard once connected to the vpn?