Annoyingly enough, the issue has now stopped manifesting itself (right after I had escalated the case to Aruba TAC).
In terms of enforcement, the policy used was the Sample Allow All, but what's more important is that the reverting back to unknown did not jut happen upon connection to a wireless network. It happen as soon as the endpoint was manually marked a known by the administrator.
One clue that is missing from the description is that ClearPass was synchronising with Airwatch to import known endpoints. However, when the issue begun, we deleted Airwatch altogether from the list of Context servers and the issue carried on happening even when manually deleting, recreating the endpoint.
All the Database cleanup times were and still are set to default.
I've sent the logs to support in the hope the captured some relevant information, but I am now waiting for the issue to appear again.
Cheers,
Giuseppe/