Thank you.
Would you be able to test this again after installing a web debugging tool (example: Fiddler, launch it) and repeating the use case?
When you click on an attachment in USS, its supposed to make a call to SDM's attachment URL, example:
A connection to SDM's Tomcat URL https://SDMHost:8443HTTP/1.1
And then if the above was successful, you'll see a POST https://SDMHost:8443/CAisd/UploadServlet HTTP/1.1 with an Origin: http://YourUSSHostName:8686
Maybe the denial is on the first connection up above (maybe the browser can't reach the URL in question OR HTTPS interference), OR during the POST in the second check above (Cross Origin settings were not enabled on SDM Tomcat properly)
The above should be a bit more clear using debug tools like Fiddler.
_R