Found it. We have a firewall filter that detects cross-scripting and injection attacks. For all of us tech heads: there was a json string in a POST that was tripping the filter but not displaying its normal security alert. I've exempted that value from filtering and we're back. Thank you for your help!!