There is no guarantee that having a public SSL certificate won't give warning when connecting on https. I've had customers complain about this and found that even tho the root CA cert is in the device trusted certificate store, but the intermedia isn't and this triggers the error.
So to avoid the error you need a certificate with a chain where all certs in the chain is validated to all devices.
Another thing is to open up for OCSP validation so the device can validate the chain. You do this by finding the ocsp URL's for you cert/-chain and whitelist those sites in the pre-auth role..