Windows 7 appears to select inconsistent anchor during wireless connection

We have a wireless authentication server (Windows 2003 SP2 with IAS). It is configured with a DigiCert certificate. The certificate chain looks like this:

Entrust.net Secure Server Certification Authority
  DigiCert High Assurance EV Root CA
    DigiCert High Assurance CA-3
      ourserver.ourdomain.com

When a Windows 7 client connects to the wireless for the first time, they get a warning about the certificate. It will look like this:

The server "ourserver.ourdomain.com"
presented a valid certificate issued
by "Entrust.net Secure Server
Certification Authority", but
"Entrust.net Secure Server
Certification Authority" is not
configured as a valid trust anchor for
this profile.

That is not a big deal as it's supposed to be a one-off. But the root certificate it complains about is inconsistent. Half the time, they get this instead:

The server "ourserver.ourdomain.com"
presented a valid certificate issued
by "DigiCert High Assurance EV
Root CA", but
"DigiCert High Assurance EV
Root CA" is not
configured as a valid trust anchor for
this profile.

The reason this is an issue is that it means the client is prompted a second time at some later point when they reconnect to the wireless network, where the connection seems to arbitrarily choose the "other" certificate in the chain as the missing anchor, rather than the first. The selection appears to be random.

To be clear, this has been reproduced where:

• 2 Windows 7 laptops are in the same physical location (on same AP).
• One, when initially configured, prompted with the Entrust root cert.
• The other, when initially configured, prompted with the EV root cert.
• Both were connecting to the same IAS server, which only has one certificate installed.

Any ideas as to the cause of this inconsistency, and how I can stop it?