Globalprotect with 2 factor auth, client certificate problem (SSL handshake)

Hello,

having problems with GP client certificate authenticating on Android and iOS (Windows is working OK). We are using company PKI certificates, Root and Issuing CA certs have been imported to Android/iOS, as well as a device-specific client certificate from the said Issuing CA.GP Portal connection is working OK, but when the client is trying to connect to a gateway (certificate profile enabled), the connection is refused. I checked the debug logs on Android, and found the following SSL-related exception (a-test-2 is the name of the imported client cert):

(28792)05/29 23:27:34:607901 - Requesting a client certificate chain for alias [a-test-2]

(28792)05/29 23:27:34:639024 - error from connect, useOurVerifier=true

(28792)05/29 23:27:34:639172 - 1738, found exception:javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x791396f8: Failure in SSL library, usually a protocol error

error:14099004:SSL routines:SSL3_SEND_CLIENT_VERIFY:RSA lib (external/openssl/ssl/s3_clnt.c:3106 0x73a18cf8:0x00000000)

(28792)05/29 23:27:34:639223 - a client cert might not right, clear cache now

(28792)05/29 23:27:34:651072 - (l5)JNI,28806,498,not handled, ret=error, javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x791396f8: Failure in SSL library, usually a protocol error

error:14099004:SSL routines:SSL3_SEND_CLIENT_VERIFY:RSA lib (external/openssl/ssl/s3_clnt.c:3106 0x73a18cf8:0x00000000), return NULL now

(28792)05/29 23:27:34:651231 - (l6)JNI,28806,2196,Failed to pre-login to the gateway

The exact same auth sequence is working with Windows GP clients (client certs from the same issuing CA).

Anybody have any clue about this or have built similar setups and resolved the issue somehow? Any insight into this is welcome, thank you!

BR,

Arttu