See answer below, code formatting didn't come out well in answer response.

The only difference in the handshake is that mac-then-encrypt with length 0 is included in the extensions of client hello even though that shouldn't matter when not using CBC ciphersuites. The server hello message of the working and failing connectiong both match in the TLS section too.

OK, it looks like openssl server declares the pre-shared key in hex format meaning that dispatch_data_create needs to pass the data in the correct format, this will be where I'm going wrong, but it's difficult to find any documentation on setting this value correctly.

I will open a TSI, but can you confirm whether it is a hex or ASCII string that PSK is expecting in the sec_protocol_options_add_pre_shared_key function? because openssl uses the key in it's hex format (without 0x) so i.e. if I used '616263', would be the a hex representation of 'abc'. therefore ifsec_protocol_options_add_pre_shared_key is expecting ASCII format of the PSK then you should enter 'abc' but '616263' in openssl - but I found that this doesn't work either which is why it would be handy to have more documentation on the function to clarify this, my assumption is that it's expecting ASCII though.

I've opened a TSI if you would like to look into this.

Thanks Eskimo, is there a copy of this code's Objective-C equivalent though?