I filed a separate ticket for further investigation:
https://fedorahosted.org/pki/ticket/1576 substem -> subsytem SSL handshake issue with TLS_ECDHE_RSA_* on Thales HSM

commit 89211b9915e9c3e034d311ac0fa7091e9e08bde8
Author: Christina Fu cfu@redhat.com
Date: Wed Aug 19 13:52:53 2015 +0200

Ticket 1566 on HSM, non-CA subystem installations failing while trying to join security domain
Investigation shows that this issue occurs when the non-CA subsystem's SSL server and client keys are also on the HSM. While browsers (on soft token) have no issue connecting to any of the subsystems on HSM, subsystem to subsystem communication has issues when the TLS_ECDHE_RSA_ ciphers are turned on. We have decided to turn off the TLS_ECDHE_RSA_ ciphers by default (can be manually turned on if desired) based on the fact that: 1. The tested HSM seems to have issue with them (will still continue to investigate) 2. While the Perfect Forward Secrecy provides added security by the TLS_ECDHE_RSA_ ciphers, each SSL session takes 3 times longer to estabish. 3. The TLS_RSA_ ciphers are adequate at this time for the CS system operations

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/2125

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.