No
When you onboard a device it will tie that username to it ( doesn't matter if it's a windows, Mac, or android) and that will be checked in the back ground to see if that user could add another device through a build in database query triggered by the preauth check.
You have the option to check each time a device connects to see how many devices that user has. (Which I think you are asking about) That works fine in a environment like a school, hospital or for guest where you want to restrict a user from having a set number of Mac auth, non onboarded and .1x devices combined based on a group membership. But it does add over head on CPPM since you are doing a query every time a device connects instead of just check when they try adding another device.
If you are only allowing users to connect to the network only with a cert then they wouldn't be able to onboard another device until the other one is expired or revoked.
I hope this makes sense. Just let me know if you're still confused and I can add a few screen shots in the morning.