Have you referenced the VIA design doc?
http://www.arubanetworks.com/wp-content/uploads/VIAAppNote_2012-06-11.pdf
It should show you the settings needed for this. I assume this is TLS authentication? Is the server cert uploaded to the controller publicly trusted? I know there is a prompt to download this to the client which seems to be what's happening. So...if it isn't trusted, then the MAC obviously needs to add the server cert to perform that side of the trust for the authentication.
Also, please see the following:
Certificate Groups:
In ArubaOS 6.1, the administrator can define multiple IKE server-certificates for Clients using “Certificate Groups”. This solves the problem where multiple VPN Clients in the network are using Certificates issued by different CAs and the Controller has one Server-certificate for IKE. With this feature, the Controller can now configure multiple Server-Certificates for IKE and select the Server-Certificate based on the CA certificate that verifies the Client-certificate.
A “Certificate Group” groups one Server-certificate and one CA-certificate.
First the CA certificate has to be configured in IKE using the existing command: In this example configure two CA certificates.
crypto-local isakmp ca-certificate <ca1>
crypto-local isakmp ca-certificate <ca2>
Then configure the Certificate Group. In this example, configure one certificate-group for Client-certificates verified by “ca1” and another for Client-certificates verified by “ca2”.
crypto-local isakmp certificate-group server-certificate <s1> ca-certificate <ca1>
crypto-local isakmp certificate-group server-certificate <s2> ca-certificate <ca2>
Each Server certificate defined in the Certificate Group can be used both for IKEv1 and IKEv2.
If the Client-certificate does not match a specific Certificate-Group, then the single Server-certificate that is configured will be used depending on the IKE version.
crypto-local isakmp server-certificate <s3>
crypto-local isakmp server-certificate-v2 <s3>
In IKE_AUTH request message, when a certificate request payload is sent, controller receives it and goes through all the certificate groups defined. If a matching CA certificate whose hash of the public key matches the one received in certificate request payload, the corresponding server certificate is sent in IKE_AUTH response. If none of the certificate groups match, the default global server certificate is sent to the peer.