Could you check if your "requiredSecret" value matches the "secret" in
"/etc/pki/pki-tomcat/server.xml"?
I had two lines where they were different and the value has to match the secret in
"/etc/httpd/conf.d/ipa-pki-proxy.conf". Once they all matched I restarted
pki-tomcatd(a)pki-tomcat.service and httpd and both CLI and WebGUI certificate management
worked again.
According to a different thread "tomcat pre-9.0.31.0 uses 'requiredSecret'
and afterward uses 'secret'."
I am running my FreeIPA server on CentOS 8 Stream which uses tomcat 9.0.30. My uninformed
guess is the last FreeIPA update from 4.9.3 to 4.9.6 configured "secret" only
and not "requiredSecret" which "broke" the config for the tomcat
version used. Hope this helps.