RE: 1) No I did not create a computer name in AD. Is that a requirement for EAP/TLS?
I’m not sure if its required for your environemnt, it is for mine. Our Cisco ISE server is setup to look at a specific AD group to see if the object SN is listed, if its listed and matches the certificate SN it passes 802.1x
When you do 802.1x enrollment in WMS under Privacy and Security do you have “Select Install CA Certificate” ON? Check with your network guys that the Cisco ISE is looking at the correct certificate chain and any intermediate certificates needed for the authentication process and that you have them installed. The error looks like there is an unsupported certificate.
Also make sure the time on the thin client is sync’d with whatever your internal time server is, if the time is off the certificates will be out of sync. I’ve seen that before too where time/date resets itself to sometime in 2012 and the certificates are at a time in the future and not valid.