There appears to be an issue with JSS 9.96 and External CA. The 9.96 binary fails to properly download/install the cert on the clients which breaks enrollment. Existing or new record of the client doesn't matter. Just a heads up for probably those few others that use an external CA with their JSS. If/when I get a defect id I can update the post.
Are you using a dynamic challenge in your environment?
If so, it's likely that you're running into PI-000879, in which we run into the inability to enroll using an External CA configured with a dynamic challenge.
If you're using a static challenge, it's likely not that PI however, as that PI is specific to dynamic challenge setups.
Without knowing more about what's failing, what errors are happening, etc...I don't want to say for sure that it's PI-000879 even if it sounds similar, so it would be worth it to get in touch with your TAM if you haven't already to dig into it a bit more and either confirm that what you're seeing is PI-000879 or rule it out and get to the bottom of what's going on.