Solved... The port that cloud wifi defaulted to was 1812. Cloudpath was actually using a different port, and I neglected to check this. It didn't have an impact until the user tried to access the secured SSID with the new certificate. Since the port was wrong, the RADIUS lookup failed so the user never succeeded in authenticating.
Checking the log in Cloudpath confirmed this as well because the RADIUS queries never made it there (until the correct port was added).
Thanks to TAC for getting me straightened out!