1) You should never use the default CA in production
2) Return an application enforcement during Onboard pre-auth using the ClearPass:Session-Timeout attribute with a value in seconds (1 month = 2592000). The CA's maximum validity needs to be greater than or equal to any of these returned values.