That's Apple for you! I for one am looking forward to the day they come out of that ivory tower and play nice. Anyway...
If you're sure Clearpass isn't an option... :smileysad:
The most obvious answer is try a different supplicant. In the past I've been a fan of Juniper (Funk) Odyssey. It's good, but you'd have to test to make sure it worked against this (and it costs money). Also I hear good things about "wpa supplicant" which I believe is free?
Either of these might solve it, but you'd then have to work out how to distribute it to users...
Also, I have heard of Uni's writing scripts for Macs to clear out old creds. I don't have specifics on it though!
My love/hate view of Apple continues!