Wow, about 20 minutes after I posted this I figured out how to unset those two headers, and voila, that was indeed it.
So for those who might run into this issue in the future, if you unset your pragma and cache-control headers (or set them to empty) then your stuff should load in IE over SSL.
What's ironic is that I was using the same middleware layer for my flex and ajax apps, and removing those two headers breaks the ajax calls because they require those to work. So now I'll have to figure out a smart way to distinguish between the two that doesn't my broker layer UI-dependent... But that's the easy part now that I've figured this out.
I really hope this helps someone in the future!
Good stuff - I also have this problem. Would you mind sharing where you set these headers (on the server or somewhere in the services-config ?).
Well all of my middleware stuff happens on the server in PHP... I don't have a services config, and our response headers get generated dynamically based on who is asking for the response and what kind of content is being passed back. Your individual situation will depend on where your headers get generated in the first place. If they're generated automatically by Apache, then you should be able to override that in whatever language is generating your response by setting something like this (in PHP):
Just as an example, quick and dirty...