I can get CalDav working with SSL when I don't enter a specific port on IOS9 extended configuration. This sets the SSL port for CalDav to 443, which is not standard for CalDav over SSL as we all know. However, despite this setting, the firewall still registers connects on 8443. If I change the port to the "correct" SSL port for CalDav (8443), the sync just fails. Looks like somebody hardcoded the port... However, this trick doesn't seem to work for CardDav. My CardDav doesn't connect even without SSL - which wouldn't be an option for "production level" anyway.
According to Apple Support they only support "latest versions". We happen to run an OSX Server 10.6.8 that serves all other devices not running on IOS9 just fine (iOS 6,7 and 8, as well as OSX 10.6.8, 10.9 and 10.10). One iPad mini 2 was updated to IOS9 (and 9.0.1) subsequently and stopped syncing with the server - by the way: showing no errors on the IOS9 device at all, no errors on the server, just the data never got updated any more after the update.
After having talked with Apple support for quite some time and exchanging e-mails with them it seems to me they do not see a problem with this. Because you report a completely different server (platform) with similar problems, everything points to IOS9 im my eyes - and not to my "overaged (4 years)" server, as Apple support happened to put it. So I am a bit stuck with this all new IOS9...
Please let us know when your situation changes and why/how...