I have a wilcard certificate such as *.domain.com, I have a server with a dns url of aftab.hussain.domain.com, this configuration fails the CN check, my testing shows that the cert has to be *.hussain.domnain.com. I don't see a way around this without skipping the check, so will just have to change my cert, just means I need more certificates, rather than just one.
You should still be able to accomplish this with a single certificate, though. You just may need multiple Subject Alternative Name values on the cert. I've read conflicting reports as to whether a DNS name of *.*.domain.com on a certificate will work with modern browsers or not; you'd have to test it to see if it's that easy. If not, then you may need to have multiple SANs for each domain (*.domain.com, *.child.domain.com , etc.)