I checked Tomcat logs. No errors, just status 200 and zero length. I appended %v - Local server name to the log to see if $host is passed thru correct. It is.
And now it's getting weird. I replcaed my complex website (which runs fine with pure ssl!) with a simple "Hello World" and it works!
Seems the issue was ETag / If-none-match Headers
In my website I set ETag for dynamic pages which don't change frequently, so there was no need to hit database on every request.
As soon I turn this off, my site works.