The ODAS Planner, Catalog, REST Server, and Okera Portal services, by default, run a load balancer in front of it. As a result, any of these services can be accessed via any hostname or IP that is on the cluster and it will get routed to the correct node. The worker services are an exception as ODAS carefully controls the load on the data path for optimal cluster performance.
For SSL (and Kerberos), clients will check that the CNAME in the certificate (or Kerberos keytab) matches the service host name it resolves to; not the resolved IP. The certificate contains a list of DNS entries and clients will verify the host it is connecting to is in this list. Note that not all clients do this, but more secures ones do.
SSL is enabled on a service specific basis and is bound to a distinct host and port. Additionally, CNAMES can be reused for other non-secure services, so it's not accurate to assume that all hosts in a list of CNAMES are SSL enabled. Currently, only the REST API and Okera Portal endpoints are encrypted.
For more information about how Okera works with SSL, refer here.