With the popularization of the Internet of Things (IoT), mobile payments are widely used in our daily life. However, the design of secure and efficient signature schemes for mobile payment is still a topic studied by researchers. In 2018, Yeh et al. [24] designed a certificateless signature (CLS) scheme for IoT-based mobile payment and claimed their scheme is secure. However, we point out that Yeh et al.'s scheme is unable to resist the public key replacement attack. To solve the problem, an improved scheme is proposed in this paper. And we implement the security verification for this scheme under the random oracle model. Furthermore, the performance evaluation shows the efficiency of our scheme is comparable to related CLS schemes.