Maybe if you explicitly send a "511 Network Authentication Required" HTTP status code?
Some older browsers will still have the same problem, but at least new ones may follow the redirect.
As the http-request is send after the SSL handshake is done i doubt that a browser will its request if it gets an invalid certificate during the handshake.
most probably it terminates the tcp connjection once it's "unhappy" with the certificate.
9-5 Job: Securityanalyst at a major MSSP.
Free time volunteer: Networkadmin and founder at a small non-profit WISP.
Certifications: ITILv3, GCIA