The problem with Cloudflare’s FlexibleSSL solution and OJS is that the connection between the client and CloudFlare is SSL, but the connection between Cloudflare and the server hosting OJS is not. So, you end up with a situation where, if force_ssl is off, the main page is SSL but internal requests are not. And enabling force_ssl just creates the loop you see.
The ultimate solution is probably to leave force_ssl off and modify page URLs to use relative protocols instead of hardcoded http or https ones. A relative protocol would look like //www.your-journal-com/index.php/journal/$$$call$$$…
There is one place in the OJS codebase that already does this, when LESS CSS files are compiled. Be warned that not all browsers support them, and annoyingly IE 7 and 8 fetch protocol relative resources twice.
There’s a blog post about fixing this same issue for Wordpress, here:
Alternatively, and probably more robustly, use a different SSL provider. PKP|PS uses Let’s Encrypt. It’s free, works everywhere, and the only small annoyance is that you need to renew your certificates every 3 months. But you can use a CLI to script the renewal automatically. I’m not sure how that would work with Windows Server.