CBA setup for ActiveSync on Exchange server 2019 on premise

I was setting up CBA for active sync and owa on exchange on premise 2019 following this guide https://learn.microsoft.com/en-us/exchange/plan-and-deploy/post-installation-tasks/configure-certificate-based-auth?view=exchserver-2019

It was a struggle. First, I tried to make sure OWA would work on a domain PCs with CBA. Finally, after I did optional step from the guide above, increased uploadReadAheadSize value to 49152 for owa, ecp and activesync, I started getting error on browser “too many redirects, try clearing cookies”. Clearing cookies didn’t help (private windows also didn’t help), but then I installed another browser (chrome), and owa started working accepting certificates.

The browser that I was experimenting with before (edge) still not working for owa, I guess something needs to be cleaned. I understand it is not specifically edge problem, but the fact that edge has cashed some data (since I did all testings on it) that doesn’t allow to connect. I was able to connect to owa with edge on another domain computer, which was not used before.

After I got owa to work on PC, I installed user certificate on iphone, and owa works there with certificate too (great!! one problem solved).

However, for some reason active sync still doesn’t work with client certificate set to required on the same iphone. I assume iphone should use same certificate it uses for owa (which works), so certificate is not the problem. Without requiring client certificate ActiveSync on iphone also works, so permissions/policies shouldn’t be the problem. I’m getting error codes 403 7 64 and 403 7 5.

Does anybody have any suggestions???