We ran into this issue.
amigodave is 100% correct in his explanation
We created a separate service just for iOS devices because in the first request you see from the iOS device during Onboarding it does not contain any of the Aruba-Mdps-* information.
The service we created to catch iOS's first request we used the attribute Aruba-Port-Id because it is included in all that inital request sent by the iOS devices. This allowed us to filter the service accurately. The Aruba-Port-Id references the name of the Onboarding page.
Then in the subsequent requests made by the iOS device (I believe there are a total of 3) it contains the Aruba-Mdps-* information and will be filtered into your other Onboard service.
On a side note, make sure that you have Key Type set to 2048-bit RSA - Created by server
This can be found by loging into the CPPM (If you are using CPPM) ClearPass Onboard > Onboard > Provisioning Settings > General
On our CPPM this Key Type had defaulted to * - created by device which was okay for all devices except for the iOS devices.
With the Key Type set to *- created by device when an iOS device attempts to authenticate after being Onboarding it was not sending the device information from the certificate in it's request.
Not sure if that is relevant or not but I just thought I would add it.