Just to complete the thread, I logged it with TAC and got the following:
I understand that you have recently enabled Auto cert provisioning on the controller and it working fine. However, the whitelist entries show as Factory cert when you expected it to be switch cert. This is normal with APs that come with factory certificate. All new APs come up with factory certificate installed on them. Only the legacy APs don’t have factory certificate and would get the certificate from the controller (switch cert).