Ooh. maybe you nailed it.
AFAIK, Windows and everything shows you the cert "valid from/to" in local time, but the spec should be to do it in GMT.
So...lets think...
It's March 8, 8h00 EST (GMT-5), that's 13h00 GMT, and 21h00 (GMT+8) in Asia if 13 hrs ahead
Cert is valid from March 8 13h00 GMT->March 9 13h00GMT
Renewing every 15/20 mins at 1% is fine, that's about 1% of a day no matter what
13h27min = 807min. A day is 1440 min.
The phone should be renewing 1296 minutes after getting a cert and not 807 minutes. That's 489/490 minutes, or 8hrs10mins early.
You'd expect the phone to renew 21h36min after it got the cert, not 13h27min
So, if the phone was stupid and got it's cert at 13h00GMT/21h00GMT+8, and thought it was only good from 21h00-->13h00 the next day (16 hours or 960minutes), then it would renew at 90% of 960min, or 864 minutes later.
If the phone is in GMT+7 or 12 hours ahead of GMT-5...
The cert would be good from 20h00 -->13h00, that's 17 hours, 1020 minutes, 918min till renew, which is 15 hours 18 mins.
If the phone is in GMT+9
The cert would be good from 22h00-->13h00, that's 15 hours, 900mins, 810 minutes to renew. And you're at 807 like clockwork, eh?
If your CA backdates the cert a few minutes to account for slow PKI clients and you're phones are in GMT+9, I think we might have figured it out.
If the phone has a bug where it considers the cert's 'valid from' expressed in GMT as "local time" and "valid to" in true GMT, then the phone would renew sooner.
Here's what you can do - take a settings file, set the timezone of a test phone in Asia to GMT, see if it behaves.
Set the RENEW of a GMT+9 phone to "50" - if I'm right, then it should be "half" of the 900 minutes - 450min, or 7 and a half hours.