The fact that the client gets a security warning is acceptable.
The customer doesn't want to buy a public certificate so he accepts that the client will get the security warning.
This is normal behaviour.
What is not normal is to then get a second security warning before the successful login page is presented. This is what I'm trying to prevent as it does not occur when using other browsers and I've never seen it happen with legacy controllers when using IE either.