Firewall logs show the connection is dropped almost exactly after 2 hours (7200 seconds).
Under Server Configuration -> ClearPass system services there is a 'TCP Keep Alive Configuration', which by default is set to 7200.
I take it this means it will only send the first keepalive after 2 hours, which is no good for modern firewalls with default TCP connection state timeouts of 60 minutes.
Needless to say we'll be changing this to 1800 seconds :)