There are 2 revocation checking policies configured in Gateway:

• (Default) OCSP from certificate URL 
• CRL from certificate URL 

The certificates that do not contain an OCSP URL are configured to use the CRL checking policy. For the certificate which is signed by "Sectigo RSA Organization Validation Secure Server CA" the following warning is logged each time:

WARNING 1083 com.l7tech.server.transport.http.SslClientTrustManager: Error during OCSP check for responder 'http://ocsp.sectigo.com': OCSP nonce was required but not present in the response message

API Gateway

The OCSP URL for the leaf certificate is indeed "http://ocsp.sectigo.com" which is mentioned in the error and if you do an OCSP check and require a nonce, it is responding but without the nonce in the reply. 

WARNING 806 com.l7tech.server.transport.http.SslClientTrustManager: Error during OCSP check for responder 'http://ocsp.sectigo.com': OCSP nonce was required but not present in the response message

If your default OCSP policy requires a nonce, it will fail on this revocation check. Select the "Do not include nonce in OCSP requests" in the default revocation checking policy. 

As the OCSP response does not include nonce, this setting will help to avoid this warning message in the logs.