Trying to secure client pack and ChangeMan ZMF

Securing Client Pack and ChangeMan ZMF with TLS.  Has any one gotten this to work.

We have 2 separate rules. One to cover port  ZMF port and one to cover port  Client Port. Other than the port, the rules are identical:
They use the same cert/keyring.
They are for inbound traffic (so it's a "server" rule).
TLSv1.2 only.
No client authentication (except by user id/pass from client pack and TSO logon).
When Application Controlled is OFF client pack works but TSO doesn't. When it's ON client pack doesn't work but TSO does.The error we are getting when TSO access doesn't work is 5003 Data Decryption.We tried adding a third rule to cover the TSO connection. This was a client rule/outbound traffic. Application Controlled on and off had the same effect: 5003 Data Decryption. We did NOT have a client cert/keyring specified for this rule.


Changeman ZMF