An Apple iPad is connecting to a wireless access point, which goes through an IPsec VPN tunnel pointed to the Cloud
SSL intercept is enabled.
The custom-built application installs, but when it runs, it fails to complete installation routine.
The following errors are returned:

Feb 12 14:02:54 <device_name> online-auth-agent[185] <Error>: PPQ server trust evaluation failure: 5 
Feb 12 14:02:54 <device_name> online-auth-agent[185] <Notice>: Server returned no data 
Feb 12 14:02:54 <device_name> online-auth-agent[185] <Notice>: Could not complete online authentication 

The iPad device is attempting to connect to ppq.apple.com
Access logs show ssl_failure
 

A packet capture was taken and shows that the iOS device FINs the connection from the proxy when the Cloud certificate is passed to the device.  This is an indication that the device received a certificate it was not expecting and terminated/aborted the connection.

Login to the portal and in Solutions mode > Threat Protection > Policy > Trusted Destinations > Trusted Domains URLs > Add Trusted Domains/URLs:  ppq.apple.com .  Click on the Activate button.

NOTE:  You may need to put in the IP address for ppq.apple.com into the Trusted Destination IPs/Subnets.  As of this writing, ppq.apple.com resolves to 17.135.64.9 and may change at any time.