I just registered a domain and bought a vServer for some SSL-testing purposes. Lets say the domain www.domain.com resolves to ip 18.104.22.168 and so does the second subdomain sec.domain.com.
(edit:) and two certs from StartSSL for those two subdomains, so cert 1 is valid for www.domain.com and domain.com and the cert 2 is valid for sec.domain.com and domain.com of course.
After some testing i tried to harden sec.domain.com and turned off some ciphers. Because apache cant decide which vHost to use, before the TLS handshake, it seems it always takes the protocols given in the first vhost. Lets say something like SNI is missing for to set other protocol configs. Anyhow that's how it seemed to be for me. So i ordered a second IP lets say 22.214.171.124 and set sec.domain.com to point to this ip. The next scans showed up some errors, i guess you would like to avoid.
Although the report says "Prefix handling: Not required for subdomains", the test obviously resolves the sub-subdomain www.sec.domain.com. This seems to be a little bit odd to me. And brought up the error, because of the wildcard dns entry, anysubdomain.domain.com gets resolved to 126.96.36.199 and in this case, its the "wrong" vHost and so the certificate doesn't match and so one gets this error message.
If the Summary says, that prefix handling is not required for subdomains, maybe it would be a good idea, not to resolve the www.sub-subdomain.
I would offer to reconfigure my domains back (aka simply delete the www.sec.domain.com entry) and give it to you for testing purposes.