The latest in the process that the transfer to the SSL server should take place is going from the cart page to the checkout page.
This is to ensure that the user is on the secure page while entering credit card details.
It is not necessary to transfer back to the non secure server.
A best practice would be to force them to the SSL Server if they try to access any of the pages using the unsecure server. This can be done pretty easily using the Apache mod rewrite utility. See the following for more information: