I figured out what it takes to resolved the brickatude.
Flash back to stock including the original recovery. Use the original recovery to do a factory reset. That works!
For some reason the original recovery will work where the CM recovery bjorks out and reboots the device.
Also, there are rumors that the stock recovery resets the Knox flag. This is not true.
It just no longer displays the status every time you boot. The flag is still set, the OS just does not seem to care.
BTW, getting into recovery is a pain in the ass no matter what. It took me about 5-6 tries to get it to work. There seems to be some sort of timing issue as to when you need to release the buttons and you have to get it just right
or it won't work. Don't give up.
Also, get the stock firmware from sammobile.com. The other sites listed kept trying to install malware on my machine. (Pretty funny when it tried to claim I needed a Windows update on my Linux system.) At some point I will yank down the malware and see what it does.