SSL connection failure: PKCS #11 error

[traxtopel]

I am attempting to transition our existing environment of signed Digicert certificates from RSA4096 to ECC256.
The digicert one signing process appears to work i.e. a csr generated using a tpm private key. Then a certificate request made to digicert using this csr. Same process I used before with RSA4096. Different algorithm..

Whe using a RSA4096 generated certificate using either Hardware and Software TPM, I can connect using openconnect .
When using a ecc256 generated certificate and software-emulated TPM, the openconnect connection is succesful.

When using a ecc256 generated certificate and hardware tpm(3 laptops) I encounter the folowing problem
ERROR: Esys_Sign: tpm:parameter(1):structure is the wrong size
SSL connection failure: PKCS #11 error.

I have tried generating the csr to be signed using egines tpm2-openssl and pkcs11-provider, same result.

Maybe the following gives a clue. Any ideas?
(openconnect with --gnutls-debug=99 -v)
https://pastebin.com/d2gT4t6q

Running the command on my hardware TPM, I see
pkcs11-tool --module /usr/lib64/pkcs11/libtpm2_pkcs11.so -M

Supported mechanisms:
RSA-PKCS-KEY-PAIR-GEN, keySize={1024,3072}, hw, generate_key_pair
RSA-X-509, keySize={1024,3072}, hw, encrypt, decrypt, sign, verify
RSA-PKCS, keySize={1024,3072}, hw, encrypt, decrypt, sign, verify
RSA-PKCS-PSS, keySize={1024,3072}, hw, sign, verify
RSA-PKCS-OAEP, keySize={1024,3072}, hw, encrypt, decrypt
SHA1-RSA-PKCS, keySize={1024,3072}, hw, sign, verify
SHA256-RSA-PKCS, keySize={1024,3072}, hw, sign, verify
SHA384-RSA-PKCS, keySize={1024,3072}, hw, sign, verify
SHA1-RSA-PKCS-PSS, keySize={1024,3072}, hw, sign, verify
SHA256-RSA-PKCS-PSS, keySize={1024,3072}, hw, sign, verify
SHA384-RSA-PKCS-PSS, keySize={1024,3072}, hw, sign, verify
SHA512-RSA-PKCS-PSS, keySize={1024,3072}, hw, sign, verify
ECDSA-KEY-PAIR-GEN, keySize={256,384}, hw, generate_key_pair
ECDSA, keySize={256,384}, hw, sign, verify
ECDSA-SHA1, keySize={256,384}, hw, sign, verify
ECDSA-SHA256, keySize={256,384}, hw, sign, verify
ECDSA-SHA384, keySize={256,384}, hw, sign, verify
ECDSA-SHA512, keySize={256,384}, hw, sign, verify
AES-KEY-GEN, keySize={16,32}, hw, generate
AES-CBC, keySize={16,32}, hw, encrypt, decrypt
AES-CBC-PAD, keySize={16,32}, hw, encrypt, decrypt
mechtype-0x2107, keySize={16,32}, hw, encrypt, decrypt
AES-ECB, keySize={16,32}, hw, encrypt, decrypt
AES-CTR, keySize={16,32}, hw, encrypt, decrypt
SHA-1, digest
SHA256, digest
SHA384, digest
SHA512, digest
SHA-1-HMAC, keySize={20,20}, hw, sign, verify
SHA256-HMAC, keySize={32,32}, hw, sign, verify
SHA384-HMAC, keySize={48,48}, hw, sign, verify

Assuming that the following are being used :
Hardware
RSA-X-509, keySize={1024,3072}, hw, encrypt, decrypt, sign, verify
ECDSA, keySize={256,384}, hw, sign, verify

Software
RSA-X-509, keySize={1024,3072}, hw, encrypt, decrypt, sign, verify
ECDSA, keySize={192,638}, hw, sign, verify

For software tpm I also see a different keysize range i.e. keySize={192,638} instead of hardware tpm keySize={256,384}. The RSA 4096 supports encryption, decryption, signing, and verification, while ECDSA only supports signing and verification.

Could these differences between RSA and ECDSA be a reason for the SSL connection failure. Trying to narrow down the issue. Any ideas?

I can provide more details of key creation etc if required.