Maybe this is crazy but...
Has anyone thought of using the JSS built in CA, taking its issuer certificate as the trusted authority on a RADIUS server and then having the clients auth with 802.1x using the JSS issued cert. I can't reference that cert in a payload so this may not be possible right now but I thought it worth throwing it out there.