You are right, Apache at UCS use SNI for SSL. But instead of changing the URL at the nginx side, the prefered way is to set the external fqdn for SSO at UCS side, see
Please be advised: This article describes a very rare scenario. One UCS DC Master is reconfigured, and no other UCS servers are in the domain or will ever be joined.
For a detailed overview of UCS Single Sign On configuration see article 16161
Problem
The default UCS Single Sign-On setup consists of an additional DNS Record that is shared between master and backup servers to provide a failsafe setup.
That default DNS Record is ucs-sso.domainname.
In certain setups, e.g. when operating UCS in…
You may also have a look at our Cool Solution - Reverse Proxy for UCS Portal and Services , where we have an example configuration for nginx.