To elaborate on your question a bit:
- Active Directory performs (some) device management features for Windows devices, which can include the configuration of your wired and wireless to connect securely to the corporate network, and if you add the Microsoft AD Certificate Services (PKI) you can even enroll client certificates to your clients that can be used for EAP-TLS.
- MDM/EMM is a third party product that does similar things for non-Windows devices (and some for Windows devices as well), and many times it includes software/app management as well. Depending on the exact product, you can configure the wired/wireless authentication and install certificates for EAP-TLS authentication.
- If you don't want to take control over the end-user device, like in the case of BYOD, personal devices, or other situations, Onboard can be used to enroll the client devices for network access with a certificate.
The benefit of using AD/MDM/EMM on managed devices is that once the device is under management, the configuration and certificates can be pushed without any user interaction.
If you have a management tool that does not come with an integrated Certificate Authority to issue client certificates, you CAN use ClearPass Onboard to generate the certificate in which case you will need to have Onboard licenses. If your management pulls the certificates from its own CA, there is no need to use Onboard, just integrate with the existing CA to do TLS authentication which only takes Access Licenses.
I don't see how you would motivate Onboard if you have a managed environment, as Onboard is designed for unmanaged devices.