I suppose I was looking for something more helpful than "buy more (or different, in this case) licensing", even if the answer is "there's nothing that can easily be done to fix this other than manually installing the certificate, figuring out why QuickConnect is a broken application on this phone, or pushing the proper connection method through EAP-TLS".
I think we can all appreciate customer's budget restrictions and the difficulty in selling something that, despite being sound security practice, is going to come across as "we can't support this new change in device behavior, here's a quote so we can work through this." Especially in a situation where they were sold QuickConnect "Quick Fast and easy!" to handle these issues.
I'll post back here with a resolution I or support find.