Actually, just combining steps 2 and 3 didn't work for me. I rather had to duplicate step 2 and include additional SCEP payload into configuration profile on step 3. I'm not sure what is the reasoning behind this, but this approach was also confirmed here .
As for user accepting MDM profile, iOS does ask user before installing MDM config profile.