I have successfully deployed numerous uplink MACsec-encrypted links in a fashion similar to the following where both ends are layer 3, or both ends are layer 2 trunks.  The platforms are Catalyst 6840Xs, 3850s and 3650s.  

interface GigabitEthernet1/1/4
switchport mode trunk
cts manual
no propagate sgt
sap pmk 012345789abcdef mode-list gcm-encrypt

I have a need to accomplish the same except this time, one end is a 6840X with a routed interface with dot1q-encapsulated subinterfaces linked to a Catalyst 3650 with a trunked-layer2 uplink. For my application it is acceptable to either: (a) apply MACsec encryption on all dot1q-tagged traffic on this connection, or (b) apply MACsec encryption on a particular VLAN on it.  Either is fine.

I was hopeful that the configuration snippet above could simply be applied to my 3650's uplink trunk, and the 6840X's main interface (sample below). But judging by the 6840X's inability to bring up the CTS session, this scenario apparently isn't as straightforward as I thought. 

interface GigabitEthernet1/1/2
 no switchport

 no ip address 
 cts manual
 no propagate sgt
 sap pmk 012345789abcdef mode-list gcm-encrypt

!

interface GigabitEthernet1/1/2.1
  encapsulation dot1q 10
  ip address 1.1.1.1 255.255.255.0

!

interface GigabitEthernet1/1/2.2
  encapsulation dot1q 20
  ip address 2.2.2.2 255.255.255.0

I can't find anything in the MACsec documentation that appears to cover my use case.  Can anyone offer some advice on how I should configure this?