That sounds about right. We have the same issue. When a device connects to a secure network, the user is are prompted to enter their user credentials or shared account credentials. The user is asked to accept the cert and you are connected. When you try to connect to another SID, it will not connect. We found that if you tell it to forget the initial WIFI connection, you are then able to connect. We were told by AirWatch It's by design and working as intended. Our confusion is, if the device is already being trusted why does the user need to accept the cert? Either way, does not seem right. Also, we are in the middle of switching from ACS to ISE. Well....that just opened up another bag of worms. When we switch over the ISE it's not even connecting autumnally despite having the same trusted root. And while it's not pulling the new cert down, it's still asking for credentials. Makes absolutely no sense. All I know is that we have Apple engineers looking into this, and so far no one has been able to provide clear direction explanation. We have been at this for well over a month now. Will follow should we make some type of progress.