I realize this is an ancient thread, but I ran into this myself recently and Googled up this unanswered question.
What worked for me is setting up OS X Server's Apache to reverse-proxy port 8443 and forward the traffic to the Calendar Server's unsecure 8008 port. You have to turn off the Calendar Server's own SSL on 8443. Furthermore, you have to hand-edit the appropriate conf file in /etc/apache2/sites to have the needed rewrite rules after adding the new 8443 site in the GUI. But it seems to work. Apache can be told not to support TRACE but the built-in web server of the Calendar Server can't.
This is the basic method, as applied to another application:
The write-up only covers the non-server version of OS X, but does have the correct rewrite rules.
You could also use an entirely different machine for the reverse proxy and forward the traffic across your own private network. Lots of options