iOS and OSX both use the system store represented by the "system" keychain. (On the desktop, individual users can also have keychain a with trusted roots.). Apple keeps their root store up to date via software updates and automatic OCSP checks.
NSURLConnection, the higher level resource API, will by default require a valid certificate chain, but provides for explicitly allowing an insecure connection as part of its authentication callbacks. (This is an improvement over previous versions (leopard and before) where you had to explicitly specify hostnames that should be considered safe.)
So, certificate validation is treated, at the API level, like any other sort of authentication challenge.
You can also provide a client certificate using the same mechanism, if requested by the server.
Using the lower level CFHTTP stream API, you can only fail the connection and re attempt it after disabling cert checking.
