Correction to my previous post: the working iOS 18.1.1 device actually does NOT have LE's CA cert manually imported. (LE is apparently now a trusted a root authority in iOS.)
The VPN configuration profile itself is self-signed however—and it's that signer's CA cert that's manually installed on this working device.
Doubtful that any of this is relevant. Just wanting to clarify. Apologies for any confusion.