You'll usually run out of entropy before cpu usage becomes relevant with SSL processing, I've seen old versions of apache hang with little or no entropy to process SSL connections. I recommend some sort of RNG or a poor mans software version such as http://www.issihosts.com/haveged/
This comment really opened my eyes -- thank you! I am still a bit confused though. I think I was running out of entropy, but it seems nginx should use /dev/urandom, which supposedly doesn't block -- just becomes less random when entropy runs out. So is nginx set up to block when entropy is depleted and that is why this happens?