You can only deploy one radius and one https certificate and must be the same at the publisher and subsciber node.
The client check the radius server certificate against his ca trustlist, to trust the clearpass server
Clearpass check the machine and or user certificate against his ca trustlist to trust the machine or user.
If you look in clearpass accesstracker you can see that an eap-tls authentication have just a ieft-radius-username with the value “username” or “machine name” that will authenticated against your authentication server.
So there is no issue. You can make roles and enforcementprolfiles based on for example “authentication source equals “ad1”. Or make roles bases on ad groupmembeship OU.
Hope this help you!