Your web service runs over a web server. Depending on SAS release and platform, this is usually a derivative of apache.
I suggest disabling the HTTP port in the web server configuration, or implementing an automatic reroute to HTTPS there.
And you need (at the moment I can only speak for SAS 9.2) to replace all the http:// references with https:// in the SAS SMC.
The setup looks like this:
Internet or LAN -> (HTTP or HTTPS port) -> webserver -> web server interface module for the servlet container -> internal port -> servlet container (earlier tomcat, with SAS 9.2 jboss, don't know for 9.4) -> servlets (web applications).
The change in SAS metadata is needed so that only https:// references appear in the links that the servlets create.