The problem is that the $WAGLOBAL_Root_URL setting in the WA_Globals file points to the non secure domain. the return URL uses the $WAGLOBAL_Root_URL to tell paypal the domain to return to.
There is no problem with hosting all of the pages on the SSL server and making all of the pages secure, this is the simplest solution to the problem.