Ever since I can remember, it's possible to logon to clueless via http or https.
From a security point of view, logging on via http is inadvisable.
Can you either:
(a) have http://clueless.aa.net.uk redirect to the https version, so logon is always via https; or
(b) if there's a perceived need to retain http access, put a big warning on the http logon page and a link to the https version; this will help prevent people accidentally using http when they wanted https.