When I look at the source code I see:
So that hidden field is getting filled in by a URL. And it is to an SSL (https) page. Presumably that's where you go after a successful login. The page with the form on it is itself /login on that server. So it's submitting to itself. That's pretty common. As I say, if the login is successful, it probably goes to that page in the hidden field. If not, you are back on the /login page, presumably now with an error message like "Card number and PIN do not match".
<form action=/login method=post>
<input type=hidden value=https://libproxy.coj.net/overdrive/jacksonville?URL=Default.htm name=url>
<strong>Library Card Number:</strong>
<input name=user><br /><br />
<input type=password name=pass><br /><br /><input type=submit value=Login>
So that's why there's that message. The page it is going to is secure. In order to avoid that message, all content on that page must also be secure. If you have an SSL, a part of your site that's https, then host your css file there and that should take care of it as long as there aren't other insecure things like scripts or images, flash, etc.
Oh, and just hosting those files on an SSL might not be enough, the path to them on your pages may have to include the https prefix and full path.
Do you own the libproxy.coj.net server? Or are you just contracting out login services to it? Or is there a more extensive relationship?