I tried setting up a simple arrangement where users could request guest access via CP. I see that the certificate is issued but the user fails to join the Guest Access SSID that was created. I haven't seen any obvious issues in the client event log or the Cloud Wifi events.
My perception is that the AP is unable to validate the client cert when the client tries to connect to the post onboarding SSID. There is another SSID that is using WPA2 PSK that works. The onboarding SSID works. I've done something similar using unleashed and was trying it on a Cloud Wifi managed AP.
Solved... The port that cloud wifi defaulted to was 1812. Cloudpath was actually using a different port, and I neglected to check this. It didn't have an impact until the user tried to access the secured SSID with the new certificate. Since the port was wrong, the RADIUS lookup failed so the user never succeeded in authenticating.
Checking the log in Cloudpath confirmed this as well because the RADIUS queries never made it there (until the correct port was added).