Hi Matthias,
Most likely the issue is that you can't use a Server certificate as a Client certificate while establishing a connection to RadSec in CPPM.
The first part seems correct where you get the RadSec server certificate signed by the CPPM CA. However, if you use the same certificate and put it in Airwave, RadSec will not accept it as the purpose of that certificate is not Client Authentication.
So, I will suggest that you need to create a new CSR (preferably not in CPPM) but locally using openssl. Set the certificate purpose to "user cert". Then get it signed by the CPPM CA as you did before and use that certificate with the private key in Airwave. It should work.
Also, ensure that both the IAP and CPPM have the CA certificates. Also, that the NAS-IP-Address is being populated in the AAA server in IAP. Often that is blank and RadSec is not able to authenticate the controller/IAP properly