Take a lot on this KB VMware Knowledge Base , the wildcard need to be imported on the management appliance (not the tunnel appliance, i made this error) by away i don't understand why but it works.
The hostname on the management appliance must correspond to the public FQDN without the suffixe dns.
And after all these modification you need to restart services and check all are green on system monitoring.
To be clear, the hostname on the actual management appliance does not need to be the same as the public FQDN. In our environment we use our internal naming scheme to assign hostnames to the appliances and everything works fine from the Internet.
The trickiest thing I've found with vCAv is DNS resolution (depending if you're using split DNS) and the firewall rules depending if you deploy the components in the VMware recommended zones (trusted for all components except for the Tunnel which lives in the DMZ).
To the OP - are you still experiencing issues with your deployment?
1. You can utilize a wildcard cert for the CRM, but it MUST be unique between cloud sites.
2. DNS resolution is imperative for pairing to VCD - especially the communication path. Ensure the vCAv CRM has the proper route to the VCD instance for pairing.