Where exactly did you change the Common Name? There CN's in more than 1 place.
OCSP = Online Certificate Status Protocol; which is a method of validating that the certificate is still valid. My suggestion to use the EAP-TLS method (without OCSP checking) was to rule out if your issue was caused by the OCSP checking.
I'd suggest that you seek assistance (partner, Aruba TAC) in getting this designed right. This isn't something that you should fix by trial-and-error, you need to have it designed right in the first place. In the case that you really want to do it yourself, please read and understand the ClearPass Certificates 101 Technote. Setting up Onboarding and TLS authentication is not difficult, but it must be done right from the beginning.
What you will probably end up with:
- ClearPass HTTPS certificate public trusted, signed by a public CA; this is needed to get IOS onboarding to work most reliable, and to avoid certificate errors for still unconfigured (pre-onboarding) clients.
- ClearPass RADIUS certificate can be either from your private CA or from a public CA; check the Technote on when to pick what.
- Client certificates issued by the ClearPass Onboard internal CA (only need to be trusted by ClearPass); OCSP URL set to http://127.0.0.1/guest/mdps_ocsp.php/4 where 4 is the internal number of your CA.
My sincere apologies if I sound rude, Certificates appear to be challenging in general and if you do it right it works perfectly. If you make a small error in the beginning of the process it will chase you to the end. And as things depend on the details, it is highly unlikely that this forum will give you the most optimal solution. Your ClearPass partner, local Aruba SE, or the Aruba TAC can go with you through the details and find the optimal solution for your deployment.
I started a video series on ClearPass hands-on yesterday that at a certain point will cover certificates as well; however, the certificate coverage may be few weeks out from now as I have limited time to produce those videos. Onboarding will be covered probably within 1-2 months. I expect that you can't wait for that long.