I run a Public Cert and we still get prompted on allowing the cert on iOS. The CA is in the Trusted CA list for Apple as well. The intermediate certs are the problem I believe. Haven't had time to dig through and find a solution.
My understanding is I need a certificate from a public CA if I want to avoid trust issues? is that correct?
More accurately, you need a certificate (or certificate chain) that your devices trust. This can be your own private CA, but then you need to have your Private CA's cert installed as a trusted root on your client devices.
Assuming you are using Active Directory; it is common to deploy Microsoft CA server. This will create a group policy that causes all your clients to trust its root certificate.
You can also great your own group policy to trust any root certificate that you want to use for WiFi. Note that the RADIUS server can not use a self signed certificate - it needs to be signed by a seperate root certificate. You can also use group policy to auto-configure the WiFi settings.