Can't install enrollment profiles, logs show complaints about failed membership check for opendirectory group

Clean install of Yosemite. Using self-signed certificates, turned on Profile Manager, downloaded Trust Profile and created an enrollment profile from the web interface. Fails in Apple Configurator.

So I go to the /mydevices/ page manually on the iPad, log in and click "Enroll", but I get a 500 internal server error. Click on Profiles and try to install the enrollment profile (trust profile went through fine with Apple Configurator), but I'm then told it can't connect to the server.

Check the logs and I see this (domain removed):

14/11/14 11:18:22,671 xscertd-helper[999]: Authentication challenge password request failed authorization for (domain removed)$ as record failed membership check for opendirectory group

14/11/14 11:18:22,672 xscertd[998]: AuthenticateChallengePasswordRequest returned error

14/11/14 11:18:22,698 xscertd[998]: Request from 127.0.0.1:49628 failed, returning Failure (ChallengePassword Authenticate) status

14/11/14 11:18:22,701 php-fpm[527]: do_dmx_get_scep_challenge_for_host: caught exception -[SCEPHelper getSCEPChallengeForHost:] (/SourceCache/RemoteDeviceManagement/RemoteDeviceManagement-883.16/Compiled/Fra mework-Base/Support/SCEPHelper.m:76): "'((SCEPHELPER_GetSCEPChallenge(self.connection, hostname, hostnameCnt, &challenge, &challengeCnt)))' error 1"

Anybody have any idea what might be wrong here?