This initial complementary configuration step is required only if your Jira instance has a Single Sign-On plugin installed like KantegaSSO or IWAAC Kerberos SSO. In this case, some Jira URLs must be whitelisted in the SSO plugin to allow the friending between Jira and the CLM application you are trying to connect. These URLs are for services discovery and to allow OAuth authentication between these applications; therefore, it is completely safe (and necessary) to grant them free access.
URLs to whitelist are:
Avoiding this step will prevent creating friends from CLM application to Jira, a message like "root services URL is invalid" will be displayed or an unauthorized access error (401) will be reported in the CLM application.
Any other Jira URL remains authentication protected. Whitelisting those discovery URLs does not let anyone accessing any content he should not be allowed to. Also note all other OSLC applications have the same whitelisting requirement.