This issue might not happen while the user is connecting directly to the real IP/hostname of the PAM appliance instead of the Cluster VIP or Cluster URL

Please confirm if PAM’s system certificate subject is configured accordingly to match the URL of the VIP.
Make sure the fields for Common Name and Alternate Subject Names basically reflect all the URLs used to access this PAM instance.
Note, there is no line break / carriage return at the end of the list of the Alternate Subject Names

Please see this document how to configure and set the system certificate accordingly.

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/4-1-7/configuring-your-server/configure-security-settings/secure-connections-using-ssl-certificates/install-certificates-in-a-cluster.html

Moreover, please confirm in the Load Balancer to not terminate SSL , and instead tunnel SSL all the way through to PAM.
For a NetScaler load balancer this would be done by configuring SSL bridging, see e.g. https://docs.citrix.com/en-us/netscaler/12/ssl/ssl-bridging.html.

Check to see if Cross Site Scripting Checks are disabled at all the PAM nodes as per the documentation link below.

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/4-1-7/configuring-your-server/configure-security-settings/disable-and-enable-cross-site-scripting-attack-checking.html

Try the "JuniperProxyMode" feature:
(JuniperProxyMode is a special flag that can be specified when accessing the PAM login screen so that the PAM server will send its certificate along with the data to the applet. 
The applet will then use this certificate and ignore the certificate from the HTTPS connection.)

• configure the PAM Client to "Use System Proxy Settings" + "Ignore Proxy Certificate" in the Configuration Settings / Proxy tab.
• if you use a Web Browser amend the URL to PAM with XSUITE_VPN_LOGIN=1