I have followed all the instructions (whitelist set up, virtual proxy, ticket, certificate in the header etc etc), I've talked with a qlik employee all to no avail.
I also looked at this discussion thread https://community.qlik.com/thread/134823 which ends with "There is a known limitation that using extensions in a mashup hosted on an external web server does not work because of CORS problems. We are working on a solution for this. We hope to be able to simplify this setup in future releases, but this is how it works in 1.0."
Has anyone successfully got a setup like this working at all? If so I'd love to know how you did it. At the end of the day when I make a call to the qlik server to get the application and object that communication fails because a 301 response code is returned (all the details including code are in the first link above).