XWiki is on WebSphere behind a reverse proxy which is reached using https and communicate with WebSphere in HTTP. The issue is that the external URL generated by XWiki has http instead of https in the URL scheme. XWiki expect ServletRequest#isSecure to return true if the client request is a https request but for some reason it's not the case here which makes XWiki produce proper external URL except for the scheme (host and port are properly resolved).
Looks like the fix in
XWIKI-5386 was not enough (note that in this case we do have the x-request-scheme header in the request but isSecure still does not return true).