Clients not downloading from Azure Cloud Distribution Point

I have a problem with my clients not downloading content from my Azure Cloud DP.

Environment: Standalone Primary Site with functional Internet MP. Site/DP/MP is set up for using https (PKI with MS CA). CRL check is disabled. No reverse proxy like TMG in place.

The Cloud DP clouddp1.xxxxxx.com is set up with a management certificate with my public domain name (cer-file in Azure, pfx local). I also configured the CNAME in DNS (Domain Management in my Office365 Account) for the public name "clouddp1.xxxxxx.com". Here I saw the first problem regarding different setup guides on the Internet. One time you should set the CNAME referring to ID.cloudapp.net, in other guides you should set the CNAME referring to ID.blob.core.windows.net.
So not being sure which one is the correct setting, i tried both (with waiting for DNS to refresh the new settings). But nothing seems to work for downloading content from the cloud DP.
Can anyone tell me, which is the correct setting?
ID.cloudapp.net or ID.blob.core.windows.net?

I'm only testing with a small Application (MSI) which is correctly distributed to the Cloud DP (and only to the Cloud DP, not the on-premise one). The local Clients and also the internet based clients do get the advertisement but stuck on 0% downloading.

The Clients are trying to download from the Cloud DP which can be seen in CAS.log:
Download location found 0 - https://clouddp1.xxxxxx.com/downloadrestservice.svc/getcontentxmlsecure?pid=jf100007&cid=Content_b6394d79-efd4-4e15-a985-9d56443096b1.1

But in DataTransferService.log I see errors:
Failed to send request to /downloadrestservice.svc/getcontentxmlsecure?pid=JF100007&cid=CONTENT_B6394D79-EFD4-4E15-A985-9D56443096B1.1&tid=GUID:3B8A4D7A-F531-4213-9CCB-13018F00BB28&iss=SCCM01.xxxxxx.LOCAL&alg=1.2.840.113549.1.1.5&st=2015-08-13T17:33:57&et=2015-08-14T01:33:57 at host clouddp1.xxxxxx.com, error 0x2f8fDataTransferService13.08.2015 19:33:572928 (0x0B70)
[CCMHTTP] ERROR: URL=https://clouddp1.xxxxxx.com:443/downloadrestservice.svc/getcontentxmlsecure?pid=JF100007&cid=CONTENT_B6394D79-EFD4-4E15-A985-9D56443096B1.1&tid=GUID:3B8A4D7A-F531-4213-9CCB-13018F00BB28&iss=SCCM01.xxxxxx.LOCAL&alg=1.2.840.113549.1.1.5&st=2015-08-13T17:33:57&et=2015-08-14T01:33:57, Port=443, Options=31, Code=12175, Text=ERROR_WINHTTP_SECURE_FAILUREDataTransferService13.08.2015 19:33:572928 (0x0B70)
Successfully sent location services HTTPS failure message.DataTransferService13.08.2015 19:33:572928 (0x0B70)
Error sending DAV request. HTTP code 600, status ''DataTransferService13.08.2015 19:33:572928 (0x0B70)
Raising event:
instance of CCM_DataTransferService_BITS_SecureFailure
{
ClientID = "GUID:3B8A4D7A-F531-4213-9CCB-13018F00BB28";
DateTime = "20150813173357.935000+000";
HRESULT = "0x80072f8f";
ProcessID = 1728;
ServerPath = "https://clouddp1.xxxxxx.com:443/downloadrestservice.svc/getcontentxmlsecure?pid=JF100007&cid=CONTENT_B6394D79-EFD4-4E15-A985-9D56443096B1.1&tid=GUID:3B8A4D7A-F531-4213-9CCB-13018F00BB28&iss=SCCM01.xxxxxx.LOCAL&alg=1.2.840.113549.1.1.5&st=2015-08-13T17:33:57&et=2015-08-14T01:33:57";
ThreadID = 2928;
};
DataTransferService13.08.2015 19:33:572928 (0x0B70)
GetDirectoryList_HTTP('https://clouddp1.xxxxxx.com:443/downloadrestservice.svc/getcontentxmlsecure?pid=JF100007&cid=CONTENT_B6394D79-EFD4-4E15-A985-9D56443096B1.1&tid=GUID:3B8A4D7A-F531-4213-9CCB-13018F00BB28&iss=SCCM01.xxxxxx.LOCAL&alg=1.2.840.113549.1.1.5&st=2015-08-13T17:33:57&et=2015-08-14T01:33:57') failed with code 0x80072f8f.DataTransferService13.08.2015 19:33:572928 (0x0B70)


In ContentTransferManager.log no errors, but Cloud DP location can be seen:
Persisted locations for CTM job {B9256FD5-B1E8-4ED7-B6D6-E86ED8EAEC33}:
(REMOTE) https://clouddp1.xxxxxx.com/downloadrestservice.svc/getcontentxmlsecure?pid=jf100007&cid=Content_b6394d79-efd4-4e15-a985-9d56443096b1.1ContentTransferManager13.08.2015 19:33:574060 (0x0FDC)

Content location type is Azure. Need to get the signed source url.ContentTransferManager13.08.2015 19:33:574060 (0x0FDC)

CTM job {B9256FD5-B1E8-4ED7-B6D6-E86ED8EAEC33} (corresponding DTS job {54377885-C703-406C-ABCD-31D2C0FF7C0A}) started download from 'https://clouddp1.xxxxxx.com/downloadrestservice.svc/getcontentxmlsecure?pid=JF100007&cid=CONTENT_B6394D79-EFD4-4E15-A985-9D56443096B1.1&tid=GUID:3B8A4D7A-F531-4213-9CCB-13018F00BB28&iss=SCCM01.xxxxxx.LOCAL&alg=1.2.840.113549.1.1.5&st=2015-08-13T17:33:57&et=2015-08-14T01:33:57' for full content download.

CTM job {B9256FD5-B1E8-4ED7-B6D6-E86ED8EAEC33} entered phase CCM_DOWNLOADSTATUS_DOWNLOADING_DATA

Above errors are with CNAME set to id.blob.core.windows.net.

Can anyone help me to figure out, what is going wrong?