I've read a bunch of threads on this and I *think* I know what will fix the problem for me, but I need to wait on someone else for that process to go through, so in the meantime I want to figure out if the solution I think will work, will work or if there is something else I need to do too.
So, first off, I was getting an error about not being able to load the map content because it couldn't reach the service over HTTPS. I realized I was publishing the service using a server administrator connection over port 6080, so I published it with a server administrator connection over port 6443 and that error went away. Now I just get the error saying the layer can't be added to the map. When I look in the developer tools console, I get a message about certificate validity/trust, so I think if I just get our self-signed certificate signed by a CA, this problem might go away? The only thing that raises a red flag for me is that I can add the service manually to AGOL ("Add item from the web") using our web adaptor rest service URL (also https) and the layer will load into the web map fine. Is the web adaptor considered "trusted" to AGOL and thus can load the layer, even though the certificate on the server is not trusted? That's the only thing I can think of, otherwise I don't know why the web adaptor URL would work and publishing straight to AGOL using a raw server connection wouldn't. I would use the web adaptor URL method if it weren't for the fact that the domains and subtypes aren't maintained when adding services to a web map this way, and I need those as this web map will be used in Collector. The only way I've ever found domains and subtypes to be maintained is when publishing a service from Desktop directly to AGOL.
So - signed certificate by CA an answer to all my problems or is there something else I need to be looking at?