Kevin,
Thanks for looking at it, sorry for the bad formatting. Yes "thawte SHA256 SSL CA" is fine. The clientssl profile that I use here is used in 100s of more VIPs and have no problem with certificate chain. I have tried to use the one with a bad chain and I get a different error - something to the effect "unknown_ca" in packet capture, which I am not seeing here. Since Handshake failed, no application_data started. I am still at a loss to understand why this (and others I sent) failed. One of them only has one line where client makes a new connection to server and fails right after, making no sense of what happened.
Naresh