You will need to ensure that cloud-console.domain.com is also using SSL Offload. Depending on what you're using for load balancing, you'll need to ensure that it supports doing SSL Offload for websockets connections.
It's important that the console certificates are valid as browsers such as Chrome will not connect to a websocket with a non-valid/trusted certificate (developer console will show this).
We run this as follows:
1. Run internal CA which has a single certificate on all cells which covers the cell and console FQDNs. You could just as easily use a wildcard in this case. The thing to be careful of is that all cells need to use the same internal certificate as this used to sign material that is sent to the client. If your request to the console went to a different cell to than what received the vCD request, things break.
2. Have a public facing SSL (in our case, LetsEncrypt because short-lived certificates are good) handled by the load balancer.
Hope this helps.