According to the user guide -
"certified-hold-switch-cert: An AP is put in this state when the controller thinks the AP has been certified with a controller certificate yet the AP requests to be certified again. Since this is not a normal condition, the AP will not be approved as a secure AP until a network administrator manually changes the status of the AP to verify that it is not compromised.If an AP is in this state due to connectivity problems, then the AP will recover and will be out of this hold state as soon as connectivity is restored."
Seems like "connectivity problems". That could be a whole range of things, depending on your infrastructure.