Ok I have a solution/workaround, but its an issue CP will need to fix.
the LTA.tgz file on the cloud portal contains an outdated version of "opsec_pull_cert" and "opsec_pull_cert.exe", this version only seems to support sslv3. The way to resolve it is on your log server run this:
find / -name opsec_pull_cert
and find the version bundled with log exporter (on my R80.40 it was in /opt/CPrt-R80.40/log_indexer/opsec_pull_cert)
Copy that binary file, and overwrite it in the LTA extracted folder, now when you run ./LTA run the fetch certificate process will work and use tls1.x because its using the newer opsec_pull_cert binary