This post is largely thanks to Egidio Caleiro Santoro and his comments on my earlier blog post.
If you have your CloudFlare security setting (SSL/TLS tab) set to Full or Full (Strict) and your app.yaml handler has secure set to always e.g. "secure: always", a redirect loop can arise. A temporarily workaround is to set secure to optional until you resolve these redirection issues.
In the above case a redirect loop should not typically occur since CF will contact your origin server using HTTPS, with secure set to always, GAE will respond over HTTPS too, no redirects are done. However if some of the old settings and DNS entries are still not in effect, redirections to HTTP could occur at some point in the communications.
CF has a good article explaining how to remove these redirect loops. Whenever dealing with DNS changes, it's always a good idea to wait 24-48 hours for all configurations to propagate (yes it should be quicker but sometimes waiting is the only option). At that point both CF and GAE security settings should be set to Full and always, respectively.