cjoseph: thanks for your comments, I will create the TAC case if there wont be a solution through this board :)
xdrewpjx: Thanks for your suggestion and information regarding the iOS login process. I modified the service as you suggested, now using "copy of EAP-TLS with OCSP enabled" (without authorization). Method order is:
1. Copy_of_[EAP TLS With OCSP Enabled]
2. [EAP PEAP]
3. [EAP FAST]
4. [EAP TTLS]
I added the OCSP to the provisioning settings, the CA is the OnBoard itself so the default link should be fine. I can not test it today as I need someone with an iOS device to test it. Ill ask someone to test tomorrow.
Could you please clarify, should the [Onboard Devices Repository] be the only authentication source in my 802.1x service?
Thanks!