If you are using an in-house agent this may cause additional issues with trying to use a CA that is not trusted by Apple.
Before iOS 7.1 there was a workaround to use a non-secure link to begin enrollment, then to install the CA as part of the agent for those who use SSL. See: How to enroll an iOS device to a Mobile Management Server when the SSL Certificate is not from a trusted root certificate authority: http://www.symantec.com/docs/HOWTO64245
Unfortunately with Apple’s new requirement it is no longer possible to access the new device to download the CA. The only way to enroll iOS 7.1 and later devices is to have a cert that Apple already trusts.