Hmmm.
Certificate chain is from a reputable supplier. Root is from AddTrustExternalRoot CA which is fairly well known, although I guess that perhaps the Intermediate
Back in the day when I offloaded SSL functionality onto a Brocade ServerIron load balancer, I used to concatenate the CN and any intermediate and root certs into a single file before uploading the cert onto the load balancer. This ensures that whatever client I used validated the cert because the whole chain was there. Simple test was to just upload the CN cert, pick a browser that didn't know about the root authority and the site wouldn't be verified. Replace the cert file with one containing root and intermediate CAs and browser validates it successfully.
The web interface on the controller allows you to perform certificate management including uploading root and intermediate CAs . I guess I wrongly assumed that if the controller will allow you to upload CAs then perhaps it would use them along with the the CN cert.
Next step is to replace the CA only file with one containing the full CA tree and see if that makes any difference... as suggested earlier.