Since you were able to enroll the device but are still getting an error, you can try to get more diagnostics by using logcat.
Most probably, you will get a HTTPS certificate error:
Trust anchor for certification path not found.
This error means there's something wrong with the JKS certificate, for instance, missing the chain of higher level certificates.
Notice that Chrome can still trust the certificate because it has its own certificate checking method based on the higher level certificate signatures (so Chrome is more tolerant to the HTTPS configuration errors!).
To check your certificate, use the following command:
keytool -list -v -keystore /var/lib/tomcat9/ssl/server.jks
(check the path to the keystore path, it depends on the Tomcat version!)
Among other stuff, it will report Certificate chain length. Make sure this number is more than 1 (otherwise, you apparently forgot to include the chain of high level certificates).
If you see that the certificate chain is 1, you need to re-create the JKS file.
Remove the .p12 and .jks files, and retry creation of a JKS file.
Pay special attention to the creation of the CA certificate chain (CAchain.crt) and make sure you included the parameter
-certfile CAchain.crt
when you're creating a PKCS12 file.