I am just running into this problem as well.
My thought process was that by terminating at the controller with a publically trusted cert of my choosing, we would be in a position to prevent the annoying warnings/validations from coming up. In the EDU space, students bring a bevy of unmanaged clients on to the network, and I don't like advising "Just click ok if you get a cert error" or "disable the server validation" checkbox.
I originally thought I was having a chaining problem, but I tied the whole trust chain together into a single server crt file I used to terminate EAP on the controller. Upon connecting, on a OSX Lion client if you click the "details" button it now shows a clean trust chain and just asks you to take a look at the certificate and subsequently adds it to the keystore. On my iPhone4, I get a "Not Verified" warning.
My Android clients connect just fine.
Anyone come up with a clean(er) solution to this problem?