Working with Apple got us pointed to this article here: https://support.apple.com/en-us/HT204932
The DH setting was less than required (requirement for the first few 10.10.4 betas was 768bits, and our clearpass/client negotiation was using 512). We're told the jump to this requirement will not actually take place in the public 10.10.4, but they also won't be releasing another 10.10.4 before that comes out so they cannot - and I cannot - confirm that bit of news. I know for sure iOS9 and 10.11 releases will all continue to have that updated requirement for the Diffie-Hellman key exchange.
We upgraded our clearpass environment (to 6.5.0) so this particular issue is taken care of for us on both ends (clearpass, and OS X 10.10.4). Since we upgraded clearpass our OS X 10.11 and iOS 9 tests are working, as well for this particular exchange
Perhaps @ManuCH you renewing the cert jiggled that key exchange handle on its own, or maybe it wasn't the same issue?