turns out (in case it’s helpful to someone else) that
$omnikassaOrder['signature'] = hash_hmac('sha512', json_encode(implode(',',$toHash)), base64_decode($SigningKey));
should have been simply the following (without json_encode )
$omnikassaOrder['signature'] = hash_hmac('sha512', implode(',',$toHash), base64_decode($SigningKey));