Essentially the only configuration that makes it a single SSID Onboard is adding an enforcement rule that checks if the outer method is EAP-PEAP, and if so, put the device into an Onboard enrollment role. You can layer on policy checks for more advanced policies.
Keep in mind that all of the security issues around PEAPv0/EAP-MSCHAPv2 still apply with single SSID Onboard during the initial authentication. If your customer is security conscious, I'd recommend dual SSID Onboard.