iPad certificate authentication on BIG-IP APM

Hi!

I am trying to setup certificate authentication / certificate check with on our company iPads. iPads are all managed through MDM and have client certificates enrolled. Those certs work fine with old Juniper SSL VPN system. They are enrolled from our Enterprise CA which is in fact our MDM system. This Enterprice CA was issued from our root CA which is imported into BIG-IP.

I have created a new SSL client profile, selected certificate to be preseneted to user and customized client authentication settings. These are my client auth settings on my SSL client profile:

Out root CA is named Krka_root and is definitely the CA that issued intermediate CA that issues iPad client certificates.

In VPE I've added On-Demand Cert Auth and configured it to "Require" setting:

Edge client is configured properly, I have chosen the correct client certificate which is on iPad. But when trying to connect, I get the following message: "Server rejected the supplied client certificate, or one was not sent":

It does not make a difference if I remove On-Demand Cert Auth from VPE and choose "require" client certificate in SSL client profile.

We are using BIG-IP version 11.6. If I remove On-Demand Cert Auth and try connecting to our BIG-IP system without certificate authentication (only AD auth), it works without issues.

Any help would be greatly appreciated.