In the best case, you'll configure your clients to validate the server certificate. With that option, you'll make sure, that there are no honeypots or rogue APs, that wants to fool your clients. So "validating server certificates" is a good thing. To make that work, the clients has to know and trust the CA of the authentication server. If it's a Self-signed ACS cert, it could be a tough enrollment process. If you already have an own CA, just issue a server-cert to the ACS server. Normally your client should have the CA cert of you own CA. If not, simply enroll it.
You're right - when using PEAP, you'll only need server certificates for authentication. However - If you want to enforce, that the client only connects to your APs*, the clients need to validate the server certificate. The only way to validate the server cert, it to check, if it was issued by a trusted CA. A trusted CA could be for example VeriSign (per system default) or your own CA (if you added it). Check your Certificate store on your client - you'll find all trusted CAs there.
If you issue a server cert to your ACS server with a CA, the client doesn't trust, validation is impossible.
A trusted CA cert is NOT a client certificate.
*(Rogue-APs simulates valid APs (same SSID, encryption and authentication) to obtain user credentials or other data)