This is specific to 10.3.3. The option to trust the certificate under "Certificate Trust Settings" is no longer available to me (it was post-10.3 and pre-10.3.3). I reset my simulator and didn't realise this was an issue.
The server and certificate chain fully passes nscurl --ats-diagnostics <url>. The profile and certificate is installed on the device, and is verified. It contains the correct v3 required extensions, and is not SHA-1 (or other archaic options).
I can browse to the server with Safari (after the initial "verify" alert). Does anyone know what has changed in 10.3.3 and its certificate handling?
Edit: Rebuilding the certs is not a concern if required.