If you are having problems getting through the walled garden, here is what I use with Authorize.net, adapted to PayPal. I had exactly the same problem with them as you have with PayPal. I found without this, the walled garden will stop allowing the SSL pages through after a couple minutes. I think I have all the ips listed here.
/ip hotspot walled-garden ip
FYI: I do not see this as a Mikrotik bug. It is the nature of SSL protocol. Once SSL protocol is initiated, the only data available is the ip and port. The URL is in the packet header. The packet header is encrypted. Otherwise, a GET form submission would not be secure. Wouldn't want this unencrypted, would you?