This is a quick warning to everybody using Profile Manager. If you ever have to restore Open Directory from an archive, you will loose the ability to enroll devices in mdm. There is no fix for this. You will have to wipe the PM database and recreate it from scratch and re-enroll all of your devices.
I have confirmed this with Apple just now. After a restore SCEP is no longer able to determine which certs to use during enrollment, thus the process fails. There is seemingly no way to resolve this. Even if you dump the postgres database for PM and restore it after repromotion of your ODM, it still doesn't allow you to enroll in mdm.
It's still a good idea to make backups of Open Directory as I'd rather loose Profile Manager than my LDAP but it's still a PITA.