If the certificate which you have added as a Token Decryption Certificate has been set as secondary, you need to change it to primary as shown below.
1. Right-click on Token-decrypting certificate and select Set as Primary.
AD FS management console
Certificates used for token-decrypting are critical to the stability of the Federation Service. Because loss or unplanned removal of any certificates configured for this purpose can disrupt service, you should back up any certificates configured for this purpose.