By Default, OS X will have OCSP check enforced in the keychain to check the validity of the certificates. This is great, but when you are registration VLAN, you do not have access to Internet, and the OCSP check will fail. The result of this failure will be a blank captive portal page. Not really useful when you want to register!
We found a way to circumvent this problem using the proxy passthrough feature. First, get the OCSP urls for your CA. This is usually done by looking straight in the pem file. Second, in pf.conf, enable the passthrough feature (see FAQ: How do I let users trapped in registration or isolation reach certain websites (passthroughs)?).
Now the important part is the [passthroughs] configuration. The section should look like this :
When done, restart the pfdns service.