i had to replace the certificate chain.
Old CA
Name: smplyCA
CN=smply-ca
New CA
Name: firewall.mydomain.de
CN: firewall.mydomain.de
Old Server Cert:
Issuer: smplyCA
CN: firewall
New Server Cert:
Issuer: firewall.mydomain.de
CN: firewall.mydomain.de
Then i made a mobile config profile with Apple Configurator with both Certificates as a payload, remove the old profile, installed the new one, VPN works again.