My (limited) experience with capsman is that order of entries in /caps-man provisioning matters. The first one that matches a CAP will get applied (the same logic as with firewall filter rules). So try to move the general provisioning rule (with radio-mac=00:00:00:00:00:00) to the end of provisioning rule list.