When does iOS check validity of enterprise certificates?

From the iOS 7 Deployment Technical Reference document (opens a PDF):

Certificate validation
The first time a user opens an app, the distribution certificate is validated by contacting Apple’s OCSP server. Unless the certificate has been revoked, the app is allowed to run. Inability to contact or get a response from the OCSP server isn’t interpreted as a revocation. To verify the status, the device must be able to reach ocsp.apple.com. See “Network Configuration Requirements,” earlier in this appendix.

The OCSP response is cached on the device for the period of time specified by the OCSP server—currently, between three and seven days. The validity of the certificate isn’t checked again until the device has restarted and the cached response has expired.

If a revocation is received at that time, the app is prevented from running.

Revoking a distribution certificate invalidates all of the apps you’ve signed with it. You should revoke a certificate only as a last resort— if you’re sure the private key is lost or the certificate is believed to be compromised.