I found the answer to this problem.
Bouncycastle does not add a0:00 to the attributes when no attribute instance is given (null). This leads to incomplete encoded data.
"If you just see: Attributes: then the SET OF is missing and the encoding is technically invalid (but it is tolerated)." - https://www.openssl.org/docs/man1.0.2/man1/openssl-req.html
The solution is to provide a empty DerSet to the CSR which leads to the a0:00 generation indicating there are no attributes present.