Did you test your DNSSEC setup before you disabled it in Cloudflare?
The two tools usually used for testing are:
Why do you think it is DNSSEC related?
I would test the hostname that you have an issue with, as well as the hostname of the origin (the value you have configured in the DNS dashboard). I would expect that Cloudflare would fail to resolve an origin when the target of a CNAME which is has broken DNSSEC.
I’m guessing that Cloudflare will continue to serve signed responses for your domain until they confirm the parent zone has removed the DS records, and enough time has passed for the DS records in the parent zone to have expired (I think this is usually twice the TTL). If they did not do this there is a chance that users would think the zone is signed (due to cached DS records) but the authorative nameservers are no longer signing the responses.