Apple Push not working after applying WIFI profile with certificate

Hello Experts,

I am having a "strange looking" problem at a customer where I need you help to solve. The customer has a Microsoft PKI configured in Afaria, and we want to publish WIFI Policies configured for certificate based authentication. Later the customer also wants to use certificates for authentication on the Exchange infrastructure.

The problem we are facing is as follows. As soon as the WIFI policy including the user certificates is applied on the iOS device, the device is not able more to receive Apple Push Notifications. As soon as I deactivate the policy and enroll the device again, push notification is working again until I am applying the WIFI Policy again. The WIFI network itself is not causing that troubles – all needed ports are open. And even when switching OFF WIFI the Apple Push Notifications are still not coming.

The Infrastructure is as follows:

Afaria 7 SP19 (updated today) on Windows Server 2012 R2

MS SQL Database

MS-PKI (3-tier infrastructure with a Root CA, a Policy CA on each site and an Issue CA on each site) – the certificates for the MDM are issued from the issueCA using templates we created according the following SCN article https://wiki.scn.sap.com/wiki/display/SAPMOB/1.2+-+Preparing+the+certificate+template+for+Wifi+authentication

We can't find any "interesting information" in the Server Logs. I already contacted the SAP support - but they are pointing me to the configuration of the CA.

Did anybody of you have had the same problem like I have? Than i would be more than happy if you could give me some hints on how to troubleshoot the issue.

The CA for WIFI is configured as follows:

Please see the following screenshots on how we created the policy:

Is it OK that the certificate is showing um under the Category "Device Identity Certificates"? Please ignore the Expiry Date - the screenshot is already little older - the issued user certificate are expiring within 4 weeks.

Thank you for your help :)

br

Ernst