Ah that limitation makes sense.
The trouble is that creating the server certs with OnBoard does not seem to be a universal solution. If all your devices are onboarded it's fine since they will have the onboard CA installed. But if you have non-onboarded services your HTTPS/RADIUS certs will be signed by an unknown intermediate CA and will fail cert validation on the client.
In my understanding so far I think there's two solutions:
1) buy separate Root-CA signed certs for OnBoard and server certs using the inbuilt CSR mechanism for both
2) create a custom CSR using openssl that includes both the Win8.1 ext and the CA ext, install the root CA signed cert in both PM and OB