Are you using DTLS? If so was the server-key just "radius/dtls" I am experiencing similar issues.

i.e.

radius server THE_IMPERFECT_SERVER
address ipv4 1.1.1.1

key radius/dtls

dtls ip vrf forwarding JUST_A_VRf

dtls ip radius source-interface vlan 4010

dtls trustpoint client SUB_CA (who issues cert manual enrollment)

dtls trustpoitn server SUB_CA (who issues cert manual enrollment)

aaa server dynamic-author

client 1.1.1.1 vrf JUST_A_VRf dtls client-tp SUB-CA server-tp SUB-CA

auth-type any

dtls ip radius source-interface VLAN 4010