The APIs allow you to automatically check the validity of a certificate for the server that provided it, but as you've suggested it is definitely a good idea to also verify other aspects of the certificate if you know your application will only ever be communicating with one particular back end server (or a load balancer terminating the SSL or whatever).
The process of verifying other aspects of a specific certificate is known as "certificate pinning" - this terminology might help you find more information. Typically certificate pinning is done on a per-server certificate or per-CA certtificate basis, or on a more ad-hoc basis. The first two methods involve keeping a copy of a certificate within the application - either the server certificate itself, or the CA certificate - and comparing the certificate provided to the stored one. You can also implement a more ad-hoc approach just by checking various expected values in the certificate fields (other subject details, issuer, issuer details), but this is not quite as reliable. The only benefit of this approach is that you don't need to update a certificate within the app itself when your server SSL certificate expires, but it's much easier for a MITM attack to be performed as the attacker can just replicate all of the fields in the certificate in their own cert. If you do keep a copy of some certificate within the app bundle you will have to be vigilant about getting updates out before the certificate expires, or the app will stop working.
Certificate pinning can be defeated with a willing user and device, but it makes it more difficult. The process for penetration testing against an iOS app that uses a web service without certificate pinning is basically to install a self-signed CA cert via a mobileconfig profile thing (e.g. the one for PortSwigger, makers of the BurpSuite web app pentesting tool), and then running your proxy (Burp) in the middle with a certificate signed by that CA cert. Certificate pinning obviously means that the self-signed cert will not be accepted as valid. The way I've worked around this before (and I believe the way that other people do it, based on the Black Hat slides above) is to use a jailbroken device and a debugger, and patch the executable in memory to remove the certificate pinning check. So not really an attack that you're likely to see against a real user, just a user who is interested in exploring the communications between your app and the back end.
I'm not an expert on the APIs, but here's a couple of resources that might answer your questions a bit further:
Hope this is helpful.
Loukas