I ran into the same issue with 6.8.0.109592 on a new L3 cluster over ipsecVPN.
Both CPPM's where using the self signed cert.
I created a new HTTPS server certificate signed by the internal domain-CA for both an added the domain-CA cert as trusted root. Afther this, the cluster was formed.
P.S. I also included the CPPM IP in the SAN field of the CSR.