The problem is with the ActiveSync feature - not with Check Point Mobile.
Phone certificate differs from user login name, so every time ActiveSync is initiated, a new authentication session is created.
User CN (and the fullname attribute from the LDAP) is the person's full name, whereas in Check Point, the CN is only the username.