MDM registration fails with 'Failed to find CRL, unknown CA'

I'm setting up a few classes worth of iPads for a local school and have run into some issues getting the iPads registered on the Apple MDM server.

We have a mac mini running the latest version of El Capitan and the iPads connect to it using the Domain Name (theserver.mdm.theschool.edu). The domain is registered and administered by a third party and they run the main web site (theschool.edu), but they have forwarded all requests on the mdm subnetwork (i.e. *.mdm.theschool.edu to our local network (ASM has managed to contact our server using theserver.mdm.theschool.edu, so we know it works). nslookup and ping from inside the local network finds theserver.mdm.theschool.edu without a problem.

Because we can't mess with the main DNS for this project, I'm running DNS on the mac mini and send all requests from our mdm subnet to this server. All iPads use this server address as their DNS server and have no trouble accessing it. Any unknown requests are forwarded to the main DNS server.

I've created a domain in Open Directory for our local subnet (mdm.theschool.edu) and the master is this mac mini.

When I try to register an iPad via the server web site, it fails and I only see this in the log:
Jul 22 15:23:21 salome xscertd-helper[2261]: Failed to find CRL, unknown CA : F9D65C0B-42E7-4EBE-96A1-BB5F2EC0EF2C

I'm using self generated certificates. The CA given in the message changes each time.

I can download the certificate I'm using to the iPad successfully, just can't actually register the device. I've had a look at all the certificates I can see and they all have what looks like the correct CA in them.

Where else can I find more diagnostic info? Why does the CA keep changing (corruption, random data due something not specified...)?