After manual check using wireshark, I found version of certificate is mismatch between server configuration and CPU configuration. Because CPU only support x.509 v3 certificate, but server pulish x509 v1 certificate, this is the reason why connection is crashed.

To establish a secured MQTT communication between the SIMATIC S7-CPU (MQTT client) and an MQTT broker in your network, the following criteria must be fulfilled:

• The MQTT broker is installed and preconfigured for the TLS process
• The required CA certificate of the MQTT broker is at hand
• The CPU's time of day has been set to the current time.

A certificate always contains a validity period during which the certificate is valid. To be able to encrypt via the certificate, the S7-CPU’s time of day also needs to be within this validity period. On a brand-new S7-CPU or after fully resetting the S7-CPU, the internal clock is set to a default value that is outside the validity period of the certificate. The certificate is then marked as invalid.

Another thing to consider is whether you have configured the MQTT broker in such a way that an MQTT client authentication is also needed, then you have to import the client certificate as well.