So,
This is how it works:
Once you put in the username and password for the mac or iPhone, it uses it forever.
When you use token caching on the controller, it will only send the first authentication to the RSA server and not send any further authentication traffic for the token caching period (12 hours in this case). The iPhone/mac can roam, as long as it keeps submitting the username and password that was put in the first time.
When the token caching period expires, the controller will then pass through the username and password to the RSA server. Your mac and iphone, by default, will continue sending the old username and password and fail.
Needless to say, it is not good for this to occur during the day, so you might want to extend the token caching period as an initial workaround to see if things improve.
The real problem is that the iPhone and MAC supplicant, after the token caching period expiry, do not gracefully ask for a different username and password when it fails authentication.
The per-user connection config *might* work, but once again, it might ask every time the device goes to sleep, which might not be practical...