ios mdm scep GetCACert

Trying to setup an IOS MDM server and stuck with iphone trying to get the CA certificate from the scep.

I'm using openca as my scep server with a self signed cert. The scep request from the iphone comes in with parameters : operation=GetCACert&message=EnrollmentCAInstance, but the iphone does not like the response.

Using the sscep tool to test my scep server and i confirm that the CA and RA certificates are being sent out in response to the request.

So can someone shed some light on:

- any special headers (mime type et al) that is required by apple in the scep GetCACert response ?

- should the repsonse be a binary response or base64 encoded or any other type of format ?

- does the scep have to have any relationship with my mdm server (ie: in terms of common root certificate or the cert used to sign the mdm response to the iphone in the initial profile request) ?

- Anyone know of a public scep server i can access to check what a valid GetCACert resopnse looks like ?