I've not seen it documented anywhere, but did you know that your OneClick server probably has Axis2 enabled.
This is a useful tool for doing server administration, but it don't think it has a place on a Spectrum Server.
You can check by browsing to your OneClick server url, and at the end of the fqdn adding a /Axis2 and see what you get
The default login is admin/axis2 (or it might be Axis2). There is a good KB that tells you how to disable this and how to change the password. This is fine, except, the next time you upgrade, or patch, it comes back. The install decides that it will overwrite your configuration and enable this tool again. So if you thought you'd disabled it and you've patched, then I bet you, its back.
The second thing that I have noticed is that in my environment, https is the preferred method for connections to webservers, so I disabled http access completely. I didn't worry about doing redirect, just disabled. When I patched/upgraded my server, http came back. It actually modified the config file in Tomcat\config. I know this because it left my new keystore details to what I set it and not the default (which is good) but then http was reenabled (which is bad).
Possibly if you enable http redirect, this won't happen. I've not checked this.
Worth raising a CA case do you think?