Right now, in order to enable SSL for noVNC between the foreman server and client, it is necessary to update /usr/share/foreman/lib/vnc_proxy.rb install and every update from:
cmd = "#{ws_proxy} --daemon --run-once --timeout=#{timeout} #{port} #{host}:#{host_port}"
to:
cmd = "#{ws_proxy} --daemon --run-once --timeout=#{timeout} #{port} #{host}:#{host_port} --cert=<file-containing-cert-and-key> --ssl-only"

And I believe it is also necessary to edit /var/lib/foreman/public/javascripts/noVNC/rfb.js and change:
if (conf.encrypt) {
uri = "wss://";
} else {
uri = "ws://";
}
to:
if (conf.encrypt) {
uri = "wss://";
} else {
uri = "wss://";
}
though this looks like it should work without modification as expected if conf.encrypt gets set true where ever necessary.

My thinking is that maybe this can be configured from the settings within the webui by setting the cert file in a similar fashio to the ssl_certificate option, and have a secure vnc true/false option similar to the others available, that will then set things up to run accordingly.