It's really a major deficiency on how things work together (SSL, HTTP, CNAMEs)

Maybe the solution is having stuff.blah.com redirect to blah.com/stuff and do SSL from there

Ugly, but it gets the job done.