NOTE: this post title is inaccurate. It was not until later that I discovered the problem was related to 4908-bit certs, not 4096-bit certs.
I appear to have found a bug with OSX and iOS. Neither one can handle a 4096-bit certificate by StartCom. Changing to a 2048-bit cert allowed the connection.
I have not tested 4096-bit certs from other issuers.
The scenario in question is an IMAP server running Dovecot. I tested this with the default mail app. Other mail clients connected without error. But my iPhone and MacBook refused to connect. Others encountered the same situation when they tried to connect.
This problem annoyed me for a few weeks and the breakthrough came last night when someone pointed out they had a similar production configuration, but with a 2048-bit certificate. That was the turning point.
The problem is reproducible and fails every time.
I have confirmed that self-signed 4096-bit certificates work.
The short term problem is solved (getting my new IMAP server working with a StartCOM certificate), but I’m hesitant to migrate my IMAP server over until I get some kind of feedback from both Apple and StartCOM.