It looks like an IOS device on 8.0.2 that has never connected to a SSID that produces a captive portal SSL page with certificate cannot get on.
The certificate will show as not trusted and the option to trust the certificate doesn't do anything.
For us we use inCommon through AdTrust - but every new 8.0.2 device we've tried has no way of getting on our guest portal - even though the certificate is fine. 8.0.0 works fine. All the certificates and chain are loaded and haven't changed on CPPM.
I also ran a packet-caputer of an iPad and it only ever tries to go to itools.info and captive.apple.com and then the nearest CDN for both. It never attempt to go anywhere else.
Googs showed one other very similar post:
"OS 8.02 still leaves various thing broken. Especially concerning is that it has broken wifi connections to corporate wifi networks. Any corporate wifi network that uses a web page for credentials just brings up a popup that says the certificate can’t be trusted and even if you attempt to “trust” it, you are brought back to the wifi choice screen where you have to rechoose a network and you are in an endless loop. Iphone and iPad both on IOS 8.02 both react the same."
Luckily we're only asking for name, e-mail and to accept our policy so I switched over to http. Seeing that a large majority of our 'Guest' devices are IOS.