You have Cloud Enabled Management (CEM) clients that are connecting successfully with TLS 1.0. However when you switch the clients to a later version of TLS the clients stop connecting.
'Malformed response' type errors received from the Notification Server.
IIS Logs on NS:
Error 500 responses to clients with TLS >1.0
Windows OS issue caused by changes in the way the trusted issuer list is being communicated to the client.
8.0, 8.1, CEM, TLS 1.1 or greater
Making the registry key changes on the NS as below, in line with the MS KB article referenced, resolved the issue:
Value name: SendTrustedIssuerList
Value type: REG_DWORD
Value data: 0 (False)