Supporting facts:
OKC or opportunistic key caching is a mechanism that allows devices to NOT have to re-negotiate keys with a radius server when roaming from one access point to another AP that they have already been on. Devices that support OKC enjoy faster roam times to access points to which they have previously associated. This ONLY applies on a 802.1x WLAN.
MAC OSX devices do NOT support OKC so if OKC is enabled in the 802.1x profile (it is by default), MACs will not complete their key exchange and it will manifest itself as a connectivity issue. If you have a 100% MAC environment, it is best just to turn OKC off in the 802.1x profile. Validate-PMKID provides a way to check to see if a device is attempting to associate using OKC, but allows clients like MACs that do not support OKC to complete a full key exchange, if they don't support OKC. Having OKC and Validate-PMKID is if you have a mixed environment and you want to support clients that do OKC, but also allow non-OKC clients to co-exist. You can also get by by turning OKC off altogether with few, if any issues. OKC is much more important for Voice clients, where voip applications are very sensitive to roaming and need that fast roaming support.