Hi,
I'm just chiming in here because there seems to be an issue when deploying the access points through PnP with authentication through the TLS certificate.
Please take into account that currently behaviour seems to be misaligned between the WLC and AP onboarded through PnP for TLS, the AP will present the TLS certificate which is LSC and the WLC will put the AP in LSC fallback state which does not allow the AP to download the WLAN info through the CAPWAP. There might be a very easy manual workaround for that, but it could defeat the whole purpose of PnP (zero touch) automation.
I have not experienced any issues using the PEAP option with credentials though and this can also be leveraged efficiently in ISE Policy.
Engineering is looking into the issue with the TLS LSC certificate as we speak and I'm convinced we will see a fix on the DNAC side eventually, but for now PEAP seems the way to go if you want some added security enabling some form of AP authentication.
Bear in mind that I'm not a security expert and I advise you to go over this with your security team or a Cisco security expert before rolling this out in production.
