Hi,
That road is painful. What we've come up so far with is supplying pre-configured supplicants (SecureW2) that bring the proper CA certificate along and set the expected CN automatically. It can even be preconfigured to auto-discard any other certificates, which doesn't give the user any opportunity to mess around. Of course, that is just pre-setting checkboxes in the supplicant. If a user *really* wants to sacrifice security for getting online cheap and easy on possible fraud networks, he can still toggle the settings manually later and shoot himself in the foot with it.
For the built-in supplicant in XP/Vista: it generally sucks. There is the new "Wireless Native API" that is supposed to allow scripted auto-setups of 802.1X settings for an SSID, but we haven't tested if that's really practical. If you can find a student to code on that API, please go ahead :-)
we have a similar method - preconfigured setup installer for OpenSEA (open1x.sf.net) and SecureW2 3.x - both have the required CN etc already set. handy for ensuring people have eduroam already configured too ;-) my main issue with securew2 is that it is really just a windows zero config supplicant plugin - ie it inherits all the windows supplicant issues. the cisco (pre meetinghouse) supplicant is one of the best (aironet desktop utility) - the meetinghouse client is interesting - users cannot simply configure the supplicant for EAP networks - an admin system needs to be used to push settings out. not handy for those users with EAP at home :-) alan