I'm with @CptnCrnch - something is most likely wrong with the CA chain you are uploading. Your certificate must be issued by the chain you are uploading.
Also, is there any reason to even both with the pain of using a custom DNS name? You know you can configure AnyConnect to display your company name simply, so the user never sees the DNS name or have to type it in? I have a tool for writing the AnyConnect profiles to do this.
https://www.ifm.net.nz/cookbooks/online-anyconnect-profile-editor.html
Then you can just use the DDNS name, and use the automatic certificates, and never have to worry about renewing the certificates because it is automatic.