oh snap. Really. So, you're only using it internally, not externally? Then you're going to run into SSL issues.
Here's some TMI ....
So, here's how we did it, with a recommendation from our friends at Modality - we setup a internal VIP on our F5 that we put a public certificates on that had all of the FQDNs of our Internal web services on the SAN - DNS pointed the internal web services
FQDN's to this F5 VIP. So, we have a public cert on the web services therefore the mobile clients (droid, ipad, windows phone, app store client) can all join while connected to the internal WIFI and not run into certificate issues.
We did that because of the requirements of having the machine name in the cert - thus, making public (comodo) certs not an optoins as we have a machine.domain.local scheme.
Here is the mobility stuff ... as if you don't' have this already .
https://technet.microsoft.com/en-us/library/hh690030.aspx?f=255&MSPPError=-2147217396
The way to troubleshoot this is to instal your certs on the non-working phone and see if they can then signin. I'll look at the log right quick....