On the train I got some time to investigate about your log messages and I think they all occur due fallback-dialback and the remote server require TLS.
In this case the "policy-violation" is the correct way to deny the fallback to OF but I think that some implementations of the remote server handle the case different.
I think this could happend:
1. OF opens a TLS connection and try to verify the peer with SAML or Dialback
2. An exception occurs. Maybe a silent "exception" like no SAML-authentications offered from remote server
3. The OF closes the TLS connection and retries with old unencrypted dialback.
4. unencrypted connectons denied by remote server (with some different and not expected responses)
You have to enable debug-mode to get more informations whats really went wrong between handshake.
