You have Cloud Enabled Management (CEM) clients that are connecting successfully with TLS 1.0. However when you switch the clients to a later version of TLS the clients stop connecting. 

Agent logs: 
'Malformed response' type errors received from the Notification Server. 

IIS Logs on NS:
Error 500 responses to clients with TLS >1.0

8.0, 8.1, CEM, TLS 1.1 or greater

Windows OS issue caused by changes in the way the trusted issuer list is being communicated to the client. 

Making the registry key changes on the NS as below, in line with the MS KB article referenced, resolved the issue:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
Value name: SendTrustedIssuerList 
Value type: REG_DWORD 
Value data: 0 (False)

Further details: 
https://support.microsoft.com/en-us/help/2464556/failed-tls-connection-between-unified-communications-peers-generates-a