Well, of course I'm going to recommend Clearpass! :)
However, to really answer your question, Tim is right. Although AirWatch or any other MDM will provision the TLS cert, you need something to authenticate and authorize the users into your network. That's where Clearpass comes in but it does a ton more than just that. With a single SSID, you can create different policies and access/actions where you can do some of the following (just a few of many use cases)
1. If you don't have a cert, (EAP-PEAP) then give guest access/role or redirect to a web page for MDM enrollment or instructions
2. If you are a certain device (i.e - tablet/phone vs Computer), hand out different roles
3. If you are coming in from X site vs Y site or location, do something different
4. If you have a cert from Airwatch and are jailbroken or have violated the MDM policy, redirect or restrict access
5. Differentiate access based on AD groups
So, you see, there are many possibilities but in addition to those above examples, you can also profile all your wired/wireless devices, include a very powerful visitor management system for guests, do posture checking for your Win/Mac OSs, and integrate with other systems like MDMs and firewalls or even helpdesk ticketing systems via a RESTful API.
Finally, to really answer the question - do you need an MDM (AirWatch). With Clearpass, we can issue the TLS certs through our Onboard module. This will bring the employees through a self-registration workflow to securely and simply onboard their devices into the network. It really does 2 things at the end of the day:
1. Configure the 802.1x supplicant
2. Issue the Cert (via our own integrated CA or SCEP proxy or through ADCS)
Now, if that is all you want - TLS creation/distribution, then onboard will do the job for you.
IF you require ongoing management of these devices through issuing policies/restrictions OUTSIDE the network, then an MDM of what you need. An MDM will restrict actions like app downloads, feature enablement (camera, cut/paste, etc...), and prevention of jailbreaking as well as push new policy to the managed devices perpetually. Keep in mind that this intelligence of these devices can be integrated with Clearpass for policy creation and access management.
Hope this helps!