It looks like IBM might have been able to get MS CAPI to work with TLS1.2.  That said, I think it would make more sense to switch to CNG API.