It took some time to get the right persons/equipment on the right places in these times, but we've found the solution.
Thought it would be interesting for someone encountering the same issue.
The TLS errors combined with the cipher keys we saw earlier were indeed a good indication. We use some old equipment, C2960, C3560, etc, with the recommended IOS from CISCO, which is the12.2(55)SE12.
If you check the version and the used cipher keys, you'll get;
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 52 WS-C3560G-48PS 12.2(55)SE12 C3560-IPBASEK9-M
Configuration register is 0xF
switch#sh ip http client secure status
HTTP secure client ciphersuite: 3des-ede-cbc-sha des-cbc-sha rc4-128-md5 rc4-128-sha
HTTP secure client trustpoint:
Modern browsers won't use those cipher keys for some time now. If we upgrade to IOS 15.0(2) we see:
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 52 WS-C3560G-48PS 15.0(2)SE11 C3560-IPBASEK9-M
Configuration register is 0xF
switch#sh ip http client secure status
HTTP secure client ciphersuite: 3des-ede-cbc-sha des-cbc-sha rc4-128-md5
rc4-128-sha aes-128-cbc-sha aes-256-cbc-sha dhe-aes-128-cbc-sha
dhe-aes-256-cbc-sha
Which includes more recent cipher keys.
We can conclude that our switches intercepts the https session for onboarding, and since the cipher key was not supported on the switch, the complete session failed...