A little update:
When executing the "Execute file gateway cert" from above no all files are created in C:\Program Files (x86)\LANDesk\Shared Files\cbaroot\broker.
Proxy.state.xml already exists because of the provisioning agent.
Broker.key and broker.csr are created but are removed after the certificate can not be obtained.
Broker.crt is missing.
Broker.conf.xml is added later by the final agent (provisioning agent does not include csa information at this point).
However this file seems to be empty at first and is filled short time later.
The same action "Execute file gateway cert" will fail as well when bein executed after the final agent and broker.conf.xml is present.
However now it gets interesting:
When I include the action "Execute file gateway cert" two times - on after the provisionign agent and a second time after the final agent - I get a working broker.crt...
Just including one of the actions, may it be after the provisioning or after the final agent fails in every attempt so far.