Hello,
I had recently come across a scenario where Cisco wireless 7921G and 7925G handsets were rejecting ISE's certificate. I had setup the phones for EAP-TLS using MIC. I had uploaded Cisco's Root CA and Manufacturing CA Certificates and enabled "Trust for client authentication". A Certificate Profile was configured matching Common Name and is added to the Identity Sequence. The strange part was that Cisco wired handsets (7942,7945 and 7965) were working with identical configuration.
What I had discovered was that even though the phone is set to not Validate Server Certificate it still was, rejecting the EAP certificate signed by the local root CA. The issue was remediated by exporting the root CA certificate is DER format, accessing the Web Access webpage (Full Access Mode) and importing the root CA certificate to the handsets.
Hopefully this document saves someone a TAC call and some head scratching.
Kyle