@keith_fisk, calling activate is exactly what you should be doing after re-enabling the device for provisioning.
As far as I know requests to
/provision/activate shouldn't actually return a 401 Unauthorized status code. Double check that you're seeing that in response to a provision call and not a read/write call.
Are you using our Arduino Library? If so, you can try turning on some of the debugging information and posting a serial log here and I'll see if I can see what is going wrong.
Otherwise, print the content of your HTTP requests out as you send/receive them and post that log here and I can tell you where the problem is.
Am I better off to create generic devices and simply hard code ciks into my devices and not use the provisioning API?
That is definitely a valid option, especially since it's for an arduino where you have to program individually anyway. Really I'd say that there is no downside to doing that in this case. Up to you if you want to figure out the other issue or just go with this.