In some cases, the provisioning server might have a security certificate signed by a trusted CA, but the server does not have the intermediate certificate installed. Please check that you have the full chain of trust installed on your server.
You can obtain a copy of your intermediate certificate from your CA and install it directly on the phone, as a test (using the custom CA parameter), before uploading it to your server.