For whatever magical reason, upon updating to WordPress 4.9, the SSL versions of all these additional domain-based WP sites now appear to be working, so I’ve gone ahead and set WP up to force SSL connections for both admin and the public facing sites, and used some plugins to clean-up mixed content errors. So, whatever the difficulty was, it appears to have been addressed, and all the sites are now secured, and seem to pass external SSL validation tests with flying colors.
I am still curious whether the preferred usage is to put all of the domains being hosted on the server inside a single certificate, or whether it would be preferable for each domain to have its own separate certificate with only that domain (and any aliases like www.*) listed on it. But given that this is a homebrew server, without any clear “ownership” of the sites really being asserted this seems like a secondary concern.
Thanks to everyone who responded! I wish I understood what had changed, but am happy not to have to think about this any more at the moment.