Solution was easier than I thought. 

Set key = "secretkey"
Set message = "messageinabottle"
Set secretByteArray = ##class(%SYSTEM.Encryption).Base64Decode(key)
Set signatureBytes = $SYSTEM.Encryption.HMACSHA(256, message, secretByteArray)

Set requestSignatureBase64String = ##class(%SYSTEM.Encryption).Base64Encode(signatureBytes) 

As you can see I get same requestSignatureBase64String if I use string values in js and objectscript examples. Unfortunately web service is expecting  value QxYkJH+b0xo+pCLMBMXgKhMqjMSV+mqQbNvPf7kX2k4=

I get same signature and secretByteArray values in js and objectscript, but difference is that objectscript value is String and js value is 32-bit WordArray.

How do I get correct signature and secretByteArray values that I can pass to the $SYSTEM.Encryption.HMACSHA method?

Cryptojs example

var key = "secretkey"
var message = "messageinabottle"
var signature = CryptoJS.enc.Utf8.parse(message) //6d657373616765696e61626f74746c65
var secretByteArray = CryptoJS.enc.Base64.parse(key) //b1e72b7ad91e
var signatureBytes = CryptoJS.HmacSHA256(signature, secretByteArray) //431624247f9bd31a3ea422cc04c5e02a132a8cc495fa6a906cdbcf7fb917da4e
var requestSignatureBase64String = CryptoJS.enc.Base64.stringify(signatureBytes) //QxYkJH+b0xo+pCLMBMXgKhMqjMSV+mqQbNvPf7kX2k4=
var signatureBytes = CryptoJS.HmacSHA256(message, key) //3ab515868d9a93d73025789510f9fc4089d3fb48722fb909f7331cc7e13f6719
var requestSignatureBase64String = CryptoJS.enc.Base64.stringify(signatureBytes) //OrUVho2ak9cwJXiVEPn8QInT+0hyL7kJ9zMcx+E/Zxk=

ObjectScript example

Set key = "secretkey"
Set message = "messageinabottle"
Set signature = $ZCONVERT(##class(%xsd.hexBinary).LogicalToXSD(message),"L") //6d657373616765696e61626f74746c65
Set secretByteArray = $ZCONVERT(##class(%xsd.hexBinary).LogicalToXSD(##class(%SYSTEM.Encryption).Base64Decode(key)),"L") //b1e72b7ad91e
Set signatureBytes = $SYSTEM.Encryption.HMACSHA(256, signature, secretByteArray)
Set requestSignatureBase64String = ##class(%SYSTEM.Encryption).Base64Encode(signatureBytes) //kQeBc7Gu4SRUeicA7xVeN6V9sWX5b1bCLX9rUBK+lGA=
Set signatureBytes = $SYSTEM.Encryption.HMACSHA(256, message, key)
Set requestSignatureBase64String = ##class(%SYSTEM.Encryption).Base64Encode(signatureBytes) //OrUVho2ak9cwJXiVEPn8QInT+0hyL7kJ9zMcx+E/Zxk=

Hi Jorge and thanks for the answer!

Yes there is external system where I try to authenticate and with Postman that javasript works just fine.

I can get correct tSecretByteArray with this
    Set tSecretByteArray = ..hex(##class(%SYSTEM.Encryption).Base64Decode(keyUTF8))

So do I have to get 32-bit wordArray like in JS var signature = CryptoJS.enc.Utf8.parse(rawData);

If do some hardcoding and set "signature" value from Postman, I won't get right values from 
    Set tSignature = ..hex($SYSTEM.Encryption.HMACSHA(256, wordArray, tSecretByteArray))
    Set tSignatureBase64 = ##class(%SYSTEM.Encryption).Base64Encode(tSignature)

And yes, to_hmac was copy-paste error ;)

Problem solved! XML file is UTF-8 and I read attachment file name from there. So I needed to use ZCONVERT function and that resolved this.