I believe that the loop is caused by trying to have tomcat make the decisions about what ports to serve.
In my case, we enforce ssl across the board. The load cost of ssl isn't high enough for us to worry about doing it otherwise.
However, in your instance, as I understand, you want ssl for logins only.
In this case, here is how I would lay it out:
tomcat should listen only on the ajp13 port. (8009 by defaut)
apache should listen on 80 & 443.
use mod_rewrite to handle the ssl redirects in this manner:
note, this is not syntactically correct:
vhost:80
rewrite ^"login page" >
https://my.domain.com
do not rewrite any other requests.
vhost:443:
match != login pages >
http://my.domain.com
I believe something like that is what you need. Trying to have tomcat do the decision making of https/http is probably going to give you far too much grief.
I'm afraid my mod_rewrite skills are not strong enough to be very helpful, but if you like I can get you started on the basic matching to redirect up to https.