This is caused by OF-671.The solution was to call the StringUtils.removeXSSCharacters() method from server2server-settings.jsp but a domain name of the form of my-domain.com is still valid. The situation is that now no domains containing dashes “-” can be white or black listed.
A solution would be to write a more relaxed implementation of the StringUtils.removeXSSCharacters().