Hey,
That both your DC Master and your DC Backup use certificates with their regular host names as SANs during the connection implies that neither of them currently uses a valid virtual host configuration for the ucs-sso.… host name. So let’s dig deeper.
Please post the output from the following commands from both your DC Master & your DC Backup:
ucr search --brief '^saml' | grep -Fv '<empty>'
ls /etc/apache2/sites-enabled/univention-saml.conf
Thanks.