Recently I’ve discovered that Apple i-Devices (iPhone’s and iPad’s particularly) will not work well when provisioned for EAP-TLS with Single broadcasted SSID. In my case device would successfully complete provisioning for certificate based authentication but re-authenticate again as PEAP. One of the workarounds was to forget SSID after provisioning and add it back in with manual setting set to EAP-TLS.
Cisco ISE: 18.104.22.1686 Patch 1
Permanent fix was in the Native Supplicant Profile setting found under Policy > Policy Elements > Results > Client Provisioning > Resources. This is iOS specific setting and must be unchecked if SSID is broadcasted.