If a CA issued certificate is in a certificate store where only self-signed certificates would normally exist, the CTL generated from the store would only contain the CA issued certificate. The AdfsTrustedDevices certificate store is such a store that is supposed to have only self-signed certificates. These certificates are:
MS-Organization-Access: The self-signed certificate used for issuing workplace join certificates.
ADFS Proxy Trust: The certificates for each Web Application Proxy server.
Therefore, delete any CA issued certificate from the AdfsTrustedDevices certificate store.
Is the problem solved?