ipa upgrade is failing due to pki-tomcatd service but CA role was not installed on the server

Issue

• IPA services are failing to start after upgrade to RHEL 8.9:

# ipactl restart
IPA version error: data needs to be upgraded (expected version '4.9.12-11.module+el8.9.0+20824+f2605038', current version '4.9.11-6.module+el8.8.0+19022+e8902f4b')
Automatically running upgrade, for details see /var/log/ipaupgrade.log
Be patient, this may take a few minutes.

The upgrade fails with the following

Automatic upgrade failed: Update complete
Upgrading the configuration of the IPA services
[Verifying that root certificate is published]
[Migrate CRL publish directory]
CRL tree already moved
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service'] returned non-zero exit status 1: 'Job for pki-tomcatd@pki-tomcat.service failed because a timeout was exceeded.\nSee "systemctl status pki-tomcatd@pki-tomcat.service" and "journalctl -xe" for details.\n')
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information

# ipactl start -f
Skipping version check
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting httpd Service
Starting ipa-custodia Service
Starting ipa-otpd Service
Starting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful