Thanks for the replies, and sorry about the delay in getting back to you, but we did finally get to the bottom of what was causing it. It was nothing to do with Moodle.
A beta version of Google's mod_spdy had been installed and enabled for some time. This attempts to use the SPDY protocol for secure connections, if supported by the browser, and defaults back to HTTPS if it isn't supported - the problem was only occurring in browsers that support SPDY.
I'm not sure whether the problem had always been occurring, and not been noticed, or if an Apache upgrade had changed the way something worked, and triggered it. However, disabling the module resolved the issue. I think we'll be doing a lot of testing of any upgraded version before we consider re-enabling it.