If your application is accessing services on a different domain then you'll need a proxy to get around the same origin policy. For more details on the proxy and CORS see the 'Using a proxy' and 'CORS' sections in this doc:
You'll also need to have an SSL certificate on the server that hosts the application and proxy. This is necessary because we prevent authentication requests over http because sensitive data sent via GET can be viewed in server logs. To prevent this the identity manager requires that you use POST over https to ensure your credentials are secure.
Just to piggy back on what Kelly said, the Identity Manager requires SSL so you have to run your app over https and access your map/feature services over https.
I have now put a server certificate on. When I call the featurelayer using a https the layer does not render on the map, if I call it with a simple http it does render it on the map.