No immediate answers but a couple things to consider.
If you are not requiring HTTPS on the Portal, take the HTTPS aspect out of the URL calling the web map. That should eliminate the mixed content issue.
If you are required to use HTTPS due to a company IT policy, then maybe think twice about including non-HTTPS sites. The whole point of the policy I would guess is that all communication be encrypted. Perhaps the approach for an application requiring external non-HTTPS content is that all material be approved by management as being OK to use in non-encrypted applications. Basic CYA.
Have you tried to access your non-Https sites with the https prefix? If that kind of works but still throws a certificate warning, look at the certificate. Maybe you have to change the domain part of the URL to include a fully qualified name. The resource part of the URL has to match the certificate.
Not sure on this but try sharing the web map to 'Everyone'. Presumably no authentication occurs for that?