When I recently updated one of my IPA servers (it reports 4.5.0-21.el7_4.1.2 in yum), the result was that it could not start back up because pki-tomcatd kept failing. I was able to get it running for now by ignoring the failure of that one service, but I haven't been able to to determine the cause. The logs are pretty quiet on this one. They show the failure itself, but not information that helps me fix the problem. It also appears to be causing some weird UI issues. Without the certificate stuff working I can't add any new replicas as CAs because it can't send the needed info to the new server.
I have talked a little bit with Rob Crittenden about this but always run into an impasse hen trying to find the debug logs.