After a ton of digging, I finally figured it out.
First - a quick recap: The captive portal's job is to intercept any requests to the internet, and redirect it to the captive portal's login page. Because my login page is cprewrite.hyperlinkinc.ca, a remote website, I had to add it to the whitelist. Any requests to that domain will actually get online. This works great.
The problem is that when the user is redirected to that web page, the web page's HTML reference some external resources. My page relied on bootstrap for some css formatting. My bootstrap was stored locally, on cprewrite.hyperlinkinc.ca, so that wasn't a problem. Unfortunately, when I read the source code for bootstrap (bootstrap.min.css), one of the first lines reads:
Essentially bootstrap references an external resource for its fonts. This makes the Galaxy S8 try to load the resource. Because the link is an HTTPS link (not HTTP), it is expecting to receive an SSL cert for fonts.googleapis.com. Since fonts.googleapis.com was not in the whitelist, my captive portal was redirecting the request to itself, returning its own SSL certificate, rather then the expected one.
Some browsers, like the regular Google Chrome browser on Android, just fail silently. Others, like this In-App browser, fail loudly, and show an SSL warning.
I'm still not entirely sure what this browser is that pops up when captive portals are detected, but the question is now moot, since I know why it didn't like my page.