Puppet is already covered by BZ 1491363, modifying this BZ to only address tomcat and moving to candlepin component.

This should already be possible in Satellite 6.3 thanks to: https://github.com/theforeman/puppet-candlepin/commit/c5a36f728cc12443709d0437b205c4a9e32c0fbe 

This can be done by providing candlepin::ciphers variable in custom-hiera.yaml.
Moving to ONQA for verification.

Build: Satellite 6.3.0 snap 27

We are able to override the Ciphers in /etc/tomcat/server.xml using custom-hiera.yaml.

[root@sgi-uv20-01 tomcat]# cat /etc/foreman-installer/custom-hiera.yaml  | grep candlepin
candlepin::ciphers: ['TLS_RSA_WITH_AES_128_CBC_SHA','TLS_DHE_RSA_WITH_AES_256_CBC_SHA']


satellite-installer 
Installing             Done                                               [100%] [................................................................................................................................]
  Success!

cat /etc/tomcat/server.xml | grep ciphers -C 10
         described in the APR documentation -->

    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="want"
               sslProtocols="TLSv1.2,TLSv1.1,TLSv1"
               keystoreFile="conf/keystore"
               truststoreFile="conf/keystore"
               keystoreType="PKCS12"
               ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,
                    TLS_DHE_RSA_WITH_AES_256_CBC_SHA"

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:0336