If you replaced the HTTPS certificate in your IAP cluster, you should refer to the name in your certificate. So if your certificate is for login.yourcompany.com, the link in your login page should be:
https://login.yourcompany.com/swarm.cgi
In case you have a wildcard certificate, use captiveportal-login.yourcompany.com (click for link).
Only if you are connected via the Wireless, and you are in the captive portal, the Instant AP will respond with its own IP on DNS queries for the name in your certificate. So you don't need to have it in DNS.