Native JWT Signature verification

I asked about this last week, and I've gotten a bit farther, but I cannot seem to verify a known valid signature using the Qc3VerifySignature API, which is returning CPF9DEF - The signature verification failed. Has anyone successfully used this API (along with Qc3CalculateHash, Qc3CreateAlgorithmContext, and Qc3CreateKeyContext) to verify a JWT signature? I hate having to call a Java routine to do this. :)

My understanding is the signature is base64urldecoded to a byte string (used in Qc3VerifySignature as the Signature, which is already in ASCII), the Header and Payload are base64urldecoded to strings with all padding characters removed and the two strings joined with a period between them, which are translated to ascii, and used by Qc3CalculateHash (this part is working correctly, I get the correct hash value). Can anyone see anything blatantly wrong with the code below or have suggestions on what I might be missing?

Thanks!!
Doug

Main code:
// Create Key Context API
dcl-pr CrtKeyCtx extpgm('QC3CRTKX');
CtxKeyStr varchar(32767) const;
CtxkeyLen Int(10) const;
CtxKeyFmt Char(1) const;
CtxKeyType Int(10) const;
CtxKeyForm Char(1) const;
CtxKek Char(1) const options(*OMIT);
CtxKekAlg Char(8) const options(*OMIT);
CtxKeyToken Char(8);
CtxErrCd Char(10);
END-PR;

// Create Algorithm Context API
dcl-pr CrtAlgCtx extpgm('QC3CRTAX');
AlgCtxDsc char(25) const;
AlgDescFmtName char(8) const;
AlgCtxTkn char(8);
ErrCd char(10);

END-PR;

// Create Hash API
dcl-pr CrtHash extpgm('QC3CALHA');
HInput char(1024) const options(*varsize);
HLenOfInp Int(10) const;
HInpFormName Char(8) const;
HAlgDesc Char(20) const options(*varsize);
HAlgDescFormName Char(8) const;
HCryptoProvider Char(1) const;
HCryptoDev Char(10) const options(*OMIT);
HashText Char(300) options(*varsize);
HErrCode Char(1);
END-PR;

// Verify Signature API
dcl-pr VerifySig extpgm('QC3VFYSG');
Sig char(512) const;
SigLen Int(10) const;
InpData char(32) const;
InpDataLen Int(10) const;
InpDataFormat char(8) const;
AlgorithmDesc char(20) const;
AlgDescFormatName char(8) const;
KeyDesc Char(8) const;
KeyDescFormatName char(8) const;
CryptoProvider Char(1) const;
CryptoDevice char(10) const options(*OMIT);
Error likeds(ErrorDS) ;
END-PR;

dcl-pr Translate extpgm('QDCXLATE');
txtLen packed(5) const;
Data char(1);
Tbl char(10) const;
end-pr;

// Convert to Hex
dcl-pr cvthc ExtProc('cvthc');
target char(64);
src_bits char(32) const;
tgt_length int(10) value;
END-PR;

// Algorithm Context Data Structure - Runtime Use
dcl-ds ALGD0100;
AlCtxTkn char(8);
FinalOp Char(1) inz('1');
END-DS;

// Algorithm Context Data Structure - Create RSA Alg
dcl-ds ALGD0400;
PKCipher int(10) inz(50);
PKABlock char(1) inz('1');
Reserved char(3) inz(x'000000');
SignHash int(10) inz(2);
END-DS;

// Algorithm Context Data Structure - Runtime Use
// Specific to Creating a hash
dcl-ds ALGD0500;
HashAlg int(10) inz(3);
END-DS;

// Error Data Structure - similar to QUSEC
dcl-ds ErrorDS qualified;
BytesProv Int(10) inz(%size(ErrorDS));
BytesAvail Int(10);
ExceptionID char(7);
*n char(1);
ExceptionDta char(256);
end-ds;

// Keystring is the X509 certificate (PEM) with a 2048 bit key

CrtKeyCtx(
KeyString
: 2048
: '6'
: 50
: '0'
: *OMIT
: *OMIT
: ContextToken
: QUSEC );

CrtAlgCtx( ALGD0400
: 'ALGD0400'
: AlCtxTkn
: QUSEC);

// encoded_string is the jwt header and payload {header}.{payload} in ASCII - which is creating the correct SHA-256 hash

CrtHash(Encoded_string
: %len(Encoded_string )
: 'DATA0100'
: ALGD0500
: 'ALGD0500'
: '1'
: *Omit
: HashOut
: QUsec);

cvthc( HashBytes : HashOut : 64);


Verifysig( Decoded_sig
: 256
: HashBytes
: 64
: 'DATA0100'
: ALGD0100
: 'ALGD0100'
: ContextToken
: 'KEYD0100'
: '1'
: *OMIT
: ErrorDS);