I’m not quite sure though what you mean by “is it included in the certificate chain”.
Basically, only the “root CA certificate” for a CA needs to be in the trusted certificate storage. However, CAs often don’t have just one certificate but several “intermediate certificates” (for instance, for various product lines) which are all signed by the root certificate.
If your device only contains the root certificate but your server’s certificate is signed by the intermediate certificate, there’s one missing certificate in the so-called certificate chain and the server certificate can’t be verified. In this case, your server would have to send not only the server certificate but also the intermediate certificate.
✓ root CA (in trust store) signs
✓ server certificate (received via SSL)
→ server cert can be verified
vs
✓ root CA (in trust store) signs
X intermediate certificate (*missing* when not in trust store or received via SSL), signs
✓ server certificate (received via SSL)
→ server cert can't be verified
http://www.startssl.com/?app=21 So do you have SSLCertificateChainFile /usr/local/apache/conf/sub.class1.server.ca.pem
in your server config?
If that’s not the problem, can you post the domain name or send it to play@bitfire.at?