PKCS12 and PFX is practically the same.

How did you do it? I just imported a PFX and it worked as expected:

1. Under PKI -> Security -> PKI Management -> Add Certificate -> Import PKCS12 the PFX is imported.
2. Under Administration -> Management -> HTTP/HTTPS/Netconf/VTY the new HTTP Trust Point is selected.
3. You get logged out and the new certificate is used.

You can check the PFX with openssl and you shouldn't have any errors there:

openssl pkcs12 -info -in cert.pfx

Refer to the below document, Generate and Download CSR Certificates on Catalyst 9800 WLCs - Cisco

This is almost definitely because your cert package is not as specified in the guidelines @Arshad Safrulla linked to.
Have you included the full certificate chain? (Root + intermediate + WLC cert and key)
See the section starting "If you run the command openssl pkcs12 -info -in <path to cert> and only one certificate with one private key displays, it means the CA is not present. As a rule of thumb, this command ideally lists your whole chain of certificate. It is not required to include the top root CA if it is known by the client browsers already."

No I don't think so.  We've only ever had it work with the full chain (no problems with that) and the documentation is clear that at the minimum it should include the intermediate.

I combined the RootCA and SubCA, pfx into one pfx. So I now have a full chained Certificate. 

After I was able to import the pfx file successfully, this also added the Chain to the Trustpools, created a new Trustpoint and a new Key Label. However, when I configured HTTP to use my new Trustpoint, HTTP Service restarted and my browser showed "does not have a Certificate-SSL error"!!!! Then had to go to the CLI remove new Trustpoint and configure Cisco Self-signed  Trustpoint to regain GUI access............seem to be getting close! Awaiting on TAC response.............

Oct 28 08:19:21.833: %PKI-6-TRUSTPOINT_CREATE: Trustpoint: C9800new.pfx created succesfully
Oct 28 08:19:21.836: %CRYPTO_ENGINE-5-KEY_ADDITION: A key named C9800new.pfx has been generated or imported by pki-pkcs12
Oct 28 08:19:21.862: %PKI-6-PKCS12_IMPORT_SUCCESS: PKCS #12 import in to trustpoint C9800new.pfx successfully imported.
Oct 28 08:19:21.899: %SYS-5-CONFIG_P: Configured programmatically by process SEP_webui_wsma_http from console as * on vty1
Oct 28 08:19:49.509: %SYS-5-CONFIG_P: Configured programmatically by process SEP_webui_wsma_http from console as * on vty1
 

Ok, with the TAC Engineer, we tried numerous things, same problem, no cert, like remove Trustpoint, Key label and re-applied etc. We rebooted the wlc and noticed upon reboot, the WLC used the old software version, so I upgraded again to 17.6.4 and rebooted and applied "Commit" after the reboot which I didn't do last time hence the fall back to the old version 17.6.3 (you cannot change the boot statement like on a router/switch rather install same package again, a pain). After all this, we performed a clean on the Trustpools, saved and rebooted the WLC again. Then imported the PKCS12 full chain certificate again, and suddenly everything worked after the HTTPS restart, certificate valid. Surprising, yes! Then on the other new C9800 WLC we did the same, but no reboot. All we did on this WLC was cleaned the Trustpoints, without even importing anything. So what was the problem, a possible bug the TAC thinks............well your guess as good as mine! At least I now have validated Certificates! But getting back to previous posts, yes you should just be able to import the .pfx full chain without any issues at all. My only thinking was that possibly when I imported the 1st time, something with the Trustpools was screwed. Who knows!

Agreed. I suspect that when you imported the certificates separately that got it into some sort of state.  Did TAC confirm that the certificate should be full chain or did they say the separate cert approach was supported?  If it's not supported that means it's never been tested and therefore could have unpredictable results.