As Tim mentioned: don't do it. Also Android has made it really hard to configure, but there is an option under the Advanced WiFi configuration where you can import root CAs for WiFi (which you can first export from the Trust list in ClearPass), and then it should be possible to sea in the dropdown for the CA Selection when you manually configure the authentication. It was for me already challenging to get the root downloaded to my phone as during download it will open the certificate store for web authentication which is not linked to the one for WiFi. I had to create a quick web-site with a link that I could 'download link' from to get it even in my Downloads folder.
It's all clear that is is made as hard as possible to do this manually, which is another indication that you probably should not be doing this.
I even just tested, but keep seeing the client reporting: unknown_ca, so I can't make it work quickly. Using Onboard or equivalents is probably better while moving to EAP-TLS at the same time.