Release 3.3 of the IAP code stream was published this week. Notably included in this release is the ability to redirect to an external captive portal via https which was previously not possible.
In reviewing this for a few deployments, it was isolated that if clients want to whitelist any HTTPS sites, they should use the pre-auth ACL role configuration to allow HTTPS, instead of using the manual white list feature. The manual whitelist of the walled garden only supports HTTP, not HTTPS (because there is no such thing as a transparent HTTPS proxy) Therefore, the only way to white list HTTPS sites would be through the ACL level.
Check out the release notes, lots of other new goodies in there as well.
Code is on the support site.
Adam