If you have a signed kernel extension that loads fine on El Capitan but not on Sierra, check if it has both 32-bit and 64-bit slices. The file command will return something like:
$ file MyKext.kext/Contents/MacOS/MyKext
MyKext.kext/Contents/MacOS/MyKext: Mach-O universal binary with 2 architectures
MyKext.kext/Contents/MacOS/MyKext (for architecture x86_64): Mach-O 64-bit kext bundle x86_64
MyKext.kext/Contents/MacOS/MyKext (for architecture i386): Mach-O object i386
When the 64-bit kernel was announced, the WWDC session pointed out that such kexts were not supported and two kexts should be shipped instead.
Now that strict code signing validation is being done on kexts, these unsupported kexts will fail signature verification.
The solution is to either remove the 32-bit slice, or, if you still need to support Macs that can only run the 32-bit kernel, split the kext into two separate kexts and sign the 64-bit version.
--gc