With EAP-PEAP authentication method the TLS connection build-up may contain a check on the client side that validates whether the Radius Server is trusted. Radius server does not care about the clients that connect to it!!!
Therefore:
on your client A you need to install ACS1 and ACS2 Root (and any other intermediary issuing certificate chain). This has to be the entire chain of CA's (from Root, down to the CA that issued the ACS cert)
on your client B you need to install ACS1 and ACS2 Root (and any other intermediary issuing certificate chain). This has to be the entire chain of CA's (from Root, down to the CA that issued the ACS cert)
NB: you don't install the ACS server cert on the clients - only the CA certs that generated the ACS server cert.
If the clients are Windows, then you would install the CA certificate chain under Trusted Authorities.
Also, just as a workaround/test you can configure your clients to ignore the Server Validation (under the 802.1x supplicant settings)