Hi again,
I checked more with my team and found out that changing server.cors.origin in production mode is not supported in Kibana. It's allowed as an option just in Dev mode as it is necessary for running unit tests.
See the code in https://github.com/elastic/kibana/blob/4.6/src/server/config/schema.js#L47
This means that you will not be able to call Kibana API's from AJAX in a browser application. Since it's CORS, you would have the option of calling the APIs in server-based application though.