Is the problem limited to your OpenID connections, and your Spring Social connections work fine with proxy settings picked up correctly? As you mentioned, we haven't made any changes there other than isolating the HttpComponents 4.x class imports in a inner class to account for eager class verification environments when Http Components 4.x is not on the classpath. The proxy configuration we apply in ClientHttpRequestFactorySelector is local to Spring Social usages (OAuthOperations and API bindings), and is not picked up anywhere else. So I don't think Spring Social could effect Spring Security in this area.
You may want to consider ruling out Spring Social as the culprit by turning on your debugger inside ClientHttpRequestFactorySelector and verifying proxyHost/proxyPort is set properly.
Core Spring Development Team