There is a discussion at https://macadmins.slack.com/archives/C5238RU9X/p1732187435343649 that covers most of this issue. It doesn't explicitly say why a different non-identity cert payload isn't used and also if I navigate to the enterprise application path in Safari it prompts me to use the Device Identity cert for client authentication and then server the page

Things have definitely got better for us but I have just found a problem device running iOS 18.1. Not sure what has made it better as we had a version of our MDM where Allow Pairing was always set to false so we had to wipe and DEP enrol some devices again Sequoia uplift Xcode 16 uplift Sorry can't be of more help