Hey, I've seen this before in deployments as well, usually in 802.1x. When I took it was up with an SE I found that the reason was due to the client not authenticating to the network but still associated to the BSSID (in order to complete the authorization). So the client had associated but the 802.1x did not occur correctly (such as a timeout or similar) they are placed in the Deny All.
So in short since the client has a "connection" to the SSID but not a valid connection to the network, they was placed in the Deny All.