After the session is started the connection is direct between the client and VM. It's encrypted using the crypto of the protocol. This is true for RDP and PCoIP.
The Security Server also called the Secure Tunnel transports RDP and Blast over SSL. RDP also uses its protocol level crypto so its double encrypted. PCoIP is not transported over SSL the auth for the view session is over SSL and PCoIP is done using protocol level crypto even in the case of the Security Server / Gateway.
One important detail is the Secure Tunnel and Security Server are the same software. It just depends where it runs. Secure Tunnel ( When enabled ) is running on the CB. Security Server is run as a standalone server. Generally Secure Tunnel is the SS module on the CB and used for tunneling all connections though the CB.
Think of it as a service that has 3 modules for routing / tunneling protocol traffic RDP/PCoIP/BLAST. Depending on the protocol used a different module for tunneling traffic might be used.