certificate trust failure for iOS DEP enrolment via Apple Configurator 2?

Before I describe the issue I'm seeing, I'll mention that this doesn't feel like a problem within Soti but instead a problem with the information being returned to the iPad from Apple's Device Enrolment Program. I am attempting to use Apple Configurator 2 to enrol an iPad into our self-hosted Soti instance via the Device Enrolment Program.  I was able to configure this correctly earlier this year but am now seeing a problem when the device attempts to be managed by the MDM. Our server configuration is hosted in our data center and looks like: one management server (MS) that is internal access only two deployment servers (DS1, DS2) that are public-facing; DS1 and DS2 are placeholders for the real FQDNs I've completed the configuration in MS: set up APNS set up Apple Device Enrolment Program set up Add Devices rule for iOS devices I've completed the configuration in Apple Configurator 2: Organization Server using URL of https://DS1 for URL trust certificate automatically set up for MobiControl Root CA manually added certificates for DigiCert Global Root G2 and GeoTrust TLS RSA CA C1 When I prepare the device, I use the following values: prepare with Manual Configuration Add to Device Enrollment Program Supervise devices (checked and greyed out) Allow devices to pair with other computers Enable Shared iPad the server that I configured earlier the organization that I configured earlier the defaults for Setup Assistant (MDM will control later) a valid WiFi profile There is no problem with the preparation of the device.  It appears in Apple Business Manager and I can assign it to our Soti server.  In Soti, I can sync the DEP devices and the device is properly assigned to my Add Devices rule. However, I am running into a problem when I complete setup on the devices.  After sending a WiFi profile to the device, I can select language and country and the device then correctly shows the Remote Management screen.  When I proceed with the enrolment, I see an error on the device indicating that the action was 'cancelled'. When I look in Console to see activity on the device, I see two things that look incorrect: the SSL negotiation fails with the message "Handle challenge, trust evaluation failed: “DigiCert Global Root G2” certificate is not trusted" the logged URL points to DS2 instead of DS1 from my server profile.  the URL looks like https://DS2/mc/dep/none/enroll I had recently set up a server in Apple Configurator 2 for DS2 and did not include the trust certificates in its configuration.  This makes me wonder if something in the Apple infrastructure is caching the incorrect information and sending it to the device during its setup. Of interest, I have set up a trial account with SimpleMDM and have been able to successfully enrol the device there. I have also done the following to try to correct this problem: removed all profiles and uninstalled/reinstalled Apple Configurator 2 removed the MDM server from Apple Business Manager and recreated it updated the Apple Device Enrolment Program information in Soti deleted and created a new Add Devices rule in Soti attempted to enrol a second device used the complete enrolment URL in the server configuration - e.g. https://DS1/Enrol/223 Any ideas about why my Soti enrolment is failing?