Right, so this means your client is trying to open a secured connection to the wrong endpoint.
There is a discovery endpoint at opc.tcp://host:62541/discovery
. It accepts unsecured connections and implements the discovery services. The endpoints it returns contain URLs that point to the session endpoint at opc.tcp://host:62541
(no /discovery).
If your client / client library can't correctly use the endpoint URLs returned in the GetEndpoints response then it won't be able to connect.
I've found that on order to connect broken clients like this to Ignition you have to enable the "None" security policy in the server and then point the client directly at the session endpoint instead.