Error message “Profile Installation failed an SSL error has occurred and a secure connection to the server cannot be made.” Cisco bug id CSCvr44568 “BYOD TLS not working for Apple iOS 13”. It appears as a new version of iOS 13.x has a requirement that all certificates in the chain be SHA2 (even root) for BYOD to complete successfully. Once I got a new ISE certificate signed properly by SHA2 and imported it into ISE (services restarted) I was still getting errors but this time a different kind.
It appeared as devices were not trusting new certificate due to an incomplete chain. On the endpoint, root certificate was present but intermediate (as expected) not and it is usually pulled at the time of certificate verification. So when my machine had full access to the Internet and I was to open certificate it would pull intermediate and certificate validation would pass. However, during BYOD provisioning or on Guest network I would get an untrusted certificate error. Root and intermediate were imported into ISE and were set to Client and Admin auth.
Once I came to the understanding that it was ISE not supplying complete chain I had only one last thing to do – reboot all nodes. Once reboot was completed certificate started validating properly by the client and the BYOD process finally completed successfully.