WiFi Lockouts for Active Directory Accounts (Mobileconfig Deployment Question)

I'm curious if anyone knows a solution to a problem I'm having with WiFi settings used for our mobileconfig file. I can't seem to find a straight answer anywhere online. If anyone can suggest a good resource, please let me know.

• Entering the password correctly at the login screen will authenticate an Active Directory account successfully, even if the profile is being created for the first time. It will connect to our internal SSID after the desktop loads. This works even if the computer is not connected via Ethernet. This provides immediate access to domain resources.
• Entering the password incorrectly will lock the account almost instantaneously. If you unlock the account and manage to load the desktop successfully, WiFi will not connect successfully until you log off, unlock the account again, and log back in. Using Netwrix Account Lockout Examiner, I can see "Bad Pwd Count" rise quickly when the problem occurs, even if the password field is available for typing on the client computer with the problem. This coincides with the WiFi icon blinking on and off on the client computer (whether or not the desktop has loaded). The account also gets locked out once the desktop loads due to WiFi trying to authenticate over and over again.
• I tried using the OneTimeUserPassword option in hopes of correcting this, but it did not seem to fix the problem.
• Our WiFi access points are Meraki devices.
• The mobileconfig file contains a working certificate payload. Upon successful login, WiFi automatically connects without any certificate prompts or errors.

The relevant entries in our mobileconfig file are shown below.

AD Certificate Section of Mobileconfig File
<dict>
<key>AllowAllAppsAccess</key>
<true/>
<key>CertServer</key>
<string>(details removed)</string>
<key>CertTemplate</key>
<string>macOS</string>
<key>CertificateAcquisitionMechanism</key>
<string>RPC</string>
<key>CertificateAuthority</key>
<string>(details removed)</string>
<key>CertificateRenewalTimeInterval</key>
<integer>14</integer>
<key>Description</key>
<string>Acquire AD Certificate</string>
<key>KeyIsExtractable</key>
<false/>
<key>Keysize</key>
<integer>2048</integer>
<key>PayloadDisplayName</key>
<string>AD Certificate</string>
<key>PayloadIdentifier</key>
<string>(details removed)</string>
<key>PayloadOrganization</key>
<string></string>
<key>PayloadType</key>
<string>com.apple.ADCertificate.managed</string>
<key>PayloadUUID</key>
<string>(details removed)</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PromptForCredentials</key>
<true/>
</dict>

WiFi Section of Mobileconfig File
<dict>
<key>AutoJoin</key>
<true/>
<key>EAPClientConfiguration</key>
<dict>
<key>AcceptEAPTypes</key>
<array>
<integer>25</integer>
<integer>21</integer>
<integer>13</integer>
</array>
<key>OneTimeUserPassword</key>
<true/>
<key>SystemModeCredentialsSource</key>
<string>ActiveDirectory</string>
<key>TLSTrustedServerNames</key>
<array>
<string>(details removed)</string>
<string>(details removed)</string>
</array>
<key>TTLSInnerAuthentication</key>
<string>MSCHAPv2</string>
</dict>
<key>EncryptionType</key>
<string>WPA</string>
<key>PayloadCertificateUUID</key>
<string>(details removed)</string>
<key>PayloadDisplayName</key>
<string>Wi-Fi</string>
<key>PayloadIdentifier</key>
<string>(details removed)</string>
<key>PayloadOrganization</key>
<string></string>
<key>PayloadType</key>
<string>com.apple.wifi.managed</string>
<key>PayloadUUID</key>
<string>(details removed)</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>SSID_STR</key>
<string>(details removed)</string>
<key>SetupModes</key>
<array>
<string>System</string>
<string>Loginwindow</string>
</array>
</dict>