You may need to open a TAC case on this so that we can see the whole setup, I'm a much more visual person :P
But I ran into this last week and had to do the following:
1. 2 Service solution. Service 1 to handle onboarding, Service 2 for post onboarding. Service 1 should be 'lower' on the service list. And should contain the PAP/Local Host configuration
Service 2 Should allow PEAP and TLS with enforcement that says IF PEAP; then Captive Portal Role; If TLS, Welcome to the network role.
Of course there is a lot more consideration that needs to be done for other PEAP devices, but its doable.
2. Uncheck PEAP from OnBoard>Configuration Profiles> Network Settings> Protocols > OSX,IOS > PEAP
Its only needed for post onboarding of devices that do not support TLS. It seems OSX by default will prefer PEAP over TLS don't ask why;
After that everything was happy.
Also make sure that everytime you onboard your test device that you remove the profile and certificate from both CPPM/Guest side and the device.