There is a preexisting other domain which works fine with SSL, using the same keys which proves SSL is in deed working and 443 is open. It also proves that it is a known working key.
In addition, the standard http version for the moved site is working which proves that the configuration is sound in terms of apache, and it is connecting with port 80 for the moved site
The second server is also using an identical security profile as the first, literally the same one in my hosting provider, meaning that all port setting are identical across the first and second server.
Both operating systems are the same, ie the servers are clones from the same parent clone.
Ok good idea about the security groups. They were not the same group. The second server did not have a rule to allow 443.
I assumed it was the same group, because the second server was processing HTTPS for a naked domain. My assumption was based upon that.
This implies that the hosting provider has a bug in their security which was allowing 443 for naked domains, when it was not specifically allowed, and when a subdomain attempted the same thing it was denied.