In our case, we set the arguments in the relevant /opt/coldfsion2018/<instance>/bin/jvm.config files, then restarted the cf instances that were affected (only certain instances use this particular sso integration). I didn't even test the cfhttp to see if it would work without a restart, I just assumed from experience that a restart was required for that kind of change.
Generally, it seems that the ssl certificates on the sso system are set up correctly (as all the other systems throughout our large organization that use the same SSO/oauth system were not experiencing this problem), but there is a bug in the jvm version that CF is using (
https://bugs.openjdk.org/browse/JDK-8211806) that caused the http request to reject the certificate (I'm not an expert on that part, so that probably needs validation from the cf engineering team). Forcing the use of tls1.2 fixed the issue for this scenario where we were triggering that bug.
The weird part about it to me was that cfoauth connected fine to the domain, but then the cfhttp did not like the certificate, and then after that first cfhttp request, none of the cfoauth requests worked until the cf instance was restarted. That inconsistency leads me to assume there is something in the cfoauth behind the scenes when it hits the oauth server that cfhttp does differently. but then the cfhttp perhaps cached some connection info to that domain that subsequent cfoauth requests picked up and that stopped them from working.
To me, this kind of seems like a bug that should probably be resolved by upgrading the jvm from 11.0.1 to 11.0.2+ (like Charlie describes here:
https://coldfusion.adobe.com/2019/06/error-calling-cf-via-https-solved-updating-jvm/), but I felt that just adding arguments to the jvm.config was more expedient to get the team of people that were waiting for this to be fixed to the point where they could log into the system. I may still initiate a jvm update for our servers, but that would have required a more thorough QA process for my team than I wanted to commit to yesterday for an urgent incident.
In terms of Use case for a cfhttp feature change, I can see scenarios where a developer might want to ignore certificate warnings or test using a particular tls version (particularly in development environments).
@bhartsfield suggested it above so I am sure that I am not the only one. I don't personally feel like it is something I would run into everyday by any means, but having more control over those things might come in handy from time to time.