You probably will want to open a TAC case on this one; TLS is a pain and there are so many little things that could go wrong that it will be almost impossible to troubleshoot over the messageboard.
My guess is that the device has the OCSP URL embedded in the certificate and that URL no longer exists after upgrading. Try removing the profile from the IOS device and make sure that the root and device certificate are gone.
Also
If you go to guest and look at the Onboard> Certificate Authority Settings look at the OCSP URL
That URL has to be resolvable by the device and if it doesn't match what is embedded in the certificate, Then you need to edit the TLS method in CPPM and use the certificate override felid putting in what matches on the guest side. This will override the embedded URL on the certificate and use the one specified.
Also
IOS has some security things that they don't tell you about; Specifically if CPPM's server certificate is signed by a root that does not contain a common name, then it will fail.
Right now entrust (godaddy) and Verisign are signing certs that have roots without the CN. You have to specifically request one that does. I think we might have just started ignoring that problem in 6.1.1;
Again, This is only for the cert that signs the CPPM server, not the CA root configured in onboarding/guest.
Don't know if this is much help, but hey, at least someone responded :)