Allaine,
You left out an important part of Note 2003582, "Default Tomcat provided by SAP with SAP Business Intelligence products is not affected by this issue, unless customers explicitly enable SSL using APR native tomcat library [emphasis added. It provides some links, then continues], SAP will provide updated Tomcat in the future patches". Patches wouldn't be required if there wasn't a problem.
Also, the Note neglects to mention that APR is the default engine if you enable SSL. See
http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html#Edit_the_Tomcat_Configuration_File
E.g., our Tomcat6\conf\server.xml contains these lines:
<!-- APR library loader. Documentation at /docs/apr.html -->
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
Regards,
Sean