Error: "Intermediate CA or Root CA Certificate Signature Verification Failed" on NetScaler Gateway

Enrollment and authentication works with LDAP policy however unable to enroll devices using client certification authentication.
Authentication is denied at NetScaler Gateway.??When disabling authentication on NetScaler Gateway, client certificate can be pushed to the device using a device credentials policy from XenMobile server.

The following are the error logs from ns.log file:

 SSLLOG SSL_HANDSHAKE_FAILURE 9998 0 :  SPCBId 7109 - ClientIP 185.25.64.249 - ClientPort 63163 - VserverServiceIP 10.10.1.125 - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite "DES-CBC3-SHA SSLv2 Non-Export 168-bit" - CLIENT_AUTHENTICATION_FAILED - SerialNumber "160000000ED1FD5FCA6CECC91400000000000E" - Reason "Intermediate CA or Root CA Certficate Signature Verification Failed" SSLLOG SSL_HANDSHAKE_FAILURE 10001 0 :  SPCBId 7109 - ClientIP 185.25.64.249 - ClientPort 63163 - VserverServiceIP 10.10.1.125 - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite "DES-CBC3-SHA SSLv2 Non-Export 168-bit" - Reason "Handshake failure-Internal Error"

The following are Worx Home logs when trying to enroll a device:
"2015-12-11T16:14:06.534+0000","WorxHome","WARNING ?? ( 3)","Cert:Failed to load AG client cert chain. /data/data/com.zenprise/ag.p12: open failed: ENOENT (No such file or directory)",8381,9938,Worx Home, ??, ??,0

Root CA certificate is using??RSASSA-PSS??signature algorithm, though the client certificate issued were using sha256.

Renewing the root CA certificate with sha256 signature algorithm fixes the issue.

Root CA certificate was using the??RSASSA-PSS??signature algorithm, though the client certificate issued were using sha256.