Found the issue before speaking with TAC. Our Mobile Iron sits in a DMZ with a non-10.x.x.x address like the rest of our environment. Had to enter a route on the controller for that DMZ network. For everyone who is trying to authenticate with a cert only, here are the settings that worked:
1. upload the Trusted CA cert and a Server CRT to the controller. In my case, I had a Mobile Iron Trusted CA cert, as well as a wildcard cert that encompased all servers in our domain, i.e. *.mydomain.com.
2. Create a role for AAA to use to allow/deny access and apply policies. For our requirements I created a policy blocking access to all internal resources, with the exception of ClearPass IP's, DC's for DHCP and DNS, and the MobileIron IP.
3. Created a L2 802.1x auth profile. In the Advanced Tab I selected "termination" and "eap-tls". No inner-EAP type was selected because we're authenticating with a cert only. Further down I selected the Mobile Iron CA-Cert from the drop-down, the the company Wild Card cert for Server-Cert.
4. Created a AAA profile and added to role created in Step 2 to the Inital Role and the 802.1x Authentication Default Role. I also added the 802.1x Authentication profile created in Step 3.
5. Created a new VLAN and L3 address for the Mobile Wi Fi SSID.
6. Created a Virtual AP with the new VLAN and AAA Profile. Created a new SSID profile using WPA2-AES as the encryption type.
7. Added the Virtual AP to the remaining AP Groups in the building.
Hope this helps someone out there who is trying to do the same. Thanks for the guidance Tim!