If you have a signed kernel extension that loads fine on El Capitan but not on Sierra, check if it has both 32-bit and 64-bit slices. The file command will return something like:
$ file MyKext.kext/Contents/MacOS/MyKext MyKext.kext/Contents/MacOS/MyKext: Mach-O universal binary with 2 architectures MyKext.kext/Contents/MacOS/MyKext (for architecture x86_64): Mach-O 64-bit kext bundle x86_64 MyKext.kext/Contents/MacOS/MyKext (for architecture i386): Mach-O object i386
When the 64-bit kernel was announced, the WWDC session pointed out that such kexts were not supported and two kexts should be shipped instead.
Now that strict code signing validation is being done on kexts, these unsupported kexts will fail signature verification.
The solution is to either remove the 32-bit slice, or, if you still need to support Macs that can only run the 32-bit kernel, split the kext into two separate kexts and sign the 64-bit version.
FYI, I noticed a similar issue, but the problem was specifically due to the presence of additional files under Contents/_CodeSignature in the kext bundle:
CodeDirectory, CodeRequirements, and CodeSignature.
With these files under 10.12, kextutil -t reported a code-signing error. Earlier versions of OS X could load the kext without issue.
Removing these files such that only the CodeResources file remained allowed the kext to load on 10.12.