PEAP (username and password authentication) at minimum only requires that the client trusts the CA of the Radius Server. If you use AD to configure your CA and to issue the server cert to your Radius Server, this happens automatically with all clients that have joined the domain.
EAP-TLS (machine or user certificate authentication) at minimum requires the client trust the CA of the radius server, and also that a user or machine certificate be issued. If you enable autoenrollment in AD, both of these things happen automatically with domain clients.
The CA in ClearPass is mainly useful to distribute EAP-TLS certificates to clients using onboard, which is requires a client to access a webpage to distribute a certificate. It is targeted at non-domain devices, that do not automatically trust the CA, Server cert and would not be able to easily get a client certificate.
If your client falls into scenario #1 or #2, it is best they use the domain for the CA, because it is easier to setup and maintain.