Troubleshooting SCEP enrollment on Mobile Devices can be tricky. Use the following logfiles to get a better understanding:

Content Location
Certificate registration point IIS logs C:\inetpub\logs\LogFiles\W3SVC1
Configuration Manager certificate registration point logs C:\SMS_CCM\CRP\Logs\CRP.log
Component health status SMS_CERTIFICATE_REGISTRATION_POINT
NDES C:\Users\%username%\mscep.log
NDED Plug-in C:\Program Files\Microsoft Configuration Manager\Logs\NDESPlugin.log

Hope this helps to get the job done. Good luck!