That might happen if traffic to an NTP server is blocked. If the IAP does not get the time via an NTP server, it will think that the certificate in central is not yet valid. I would SSH into the IAP, type "show log system" and see if the time is from 1970.