I changed the check to this:
if {[util_complete_url_p $return_url] && ![regexp "^[ad_url]" $return_url]} {
And that works if your register page is HTTPS and you redirect to HTTP. That should cover almost every case. I can't imagine you would have an HTTP login page, but redirect to HTTPS.
Is this reasonable? It checks if the redirect matches the system url as specified in the acs-kernel parameters.