The passkey attestation configuration is declared here. The identity (certificate + private key) that gets installed is specified via a Declarative Device Management (DDM) Asset reference. DDM supports multiple types of certificate configurations, including ACME and SCEP. This identity will chain back to an arbitrary certificate on the MDM server. As some examples, this could be a known root certificate managed by the MDM provider and trusted by the corporate CA, or an MDM-owned certificate that was itself provisioned by the corporate CA; the details of this certificate are up to you and your MDM provider.
The only requirement for the identity installed on the device is that it supports the ES256 signing algorithm (COSE identifier -7). Everything else about the certificate and how it gets installed is up to you. The attestation you get back is a basic attestation in the packed format, signed by the identity provisioned through DDM. That link specifies the verification algorithm for the attestation.
For more information about DDM and how it provisions identities, see Meet declarative device management, Adopt declarative device management, and Explore advances in declarative device management.
