Did you enable 'Use SNI TLS Extension'?

If enabled, you want the Edge server to send the Server Name Indication (SNI) header in the SSL request to the origin. This value is the same as the Forward Host header sent to the origin. You can configure your origin to return different certificates based the SNI value sent.



You can't simply change this setting "on the fly"

Let's assume that Use SNI TLS Extension is currently disabled, and your property is configured to trust a single pinned certificate. If you enable the Use SNI TLS Extension option in this property, and you've configured your origin to return a different certificate based on the SNI header, requests from the Akamai Edge server to your origin would fail. To avoid this problem, you need to make sure that the new SNI-enabled origin certificate is in the list of trusted certificates in your property, before you enable the Use SNI TLS Extension option.

The opposite also applies. If you've set up your origin to deliver a certificate back to the Edge server, based on what was sent as the SNI value—you've set up the certificate on your origin, you've enabled this option, and you've also configured Origin SSL Certificate Verification settings here to accommodate the origin certificate. If you were to disable the Use SNI TLS Extension option, the Edge server would not recognize the origin certificate, and the connection between it and your origin would fail. You need to add a non-SNI header reliant certificate to the list of trusted certificates in your property.