Anyone have a definitive answer to this?
Did you try running "nscurl --ats-diagnostics" against your internal server? It uses different ATS configuration parameters to verify the server connection from "strict" to "disabled". You can use the parameters which are suitable and allows your application to connect to the internal servers.
Hope this helps