Stephen,
We have successfully configured mutual client certificate authentication when using self-signed certificates - with the gist of the procedure being:
1. Create the self-signed cert. Keep the keystore because it is required when setting up SOAP UI.
2. Import the cert as a Trust Anchor and select the Signing Client Certificates option.
3. Create federated identify provider.
4. Create user - DN as name, additional properties - import self-signed cert created in step 1.
5. Confirm user (cert) exists in FIP.
6. In API, add assertions (Require SSL or TLS Transport with Client Certificate Authentication, Authenticate Against Identity Provider).
7. Select the FIP that you created in step 3 as the target for Authenticate Against Identity Provider assertion.
8. Save changes and then test in SOAP UI. Note that SOAP UI requires the jks when it is configured for mutual client cert testing.
This set up works when self-signed certs are used and the configuration is tested with SOAP UI.
This set up does NOT work when the external B2B partner provides its certificate.
Why does this not work in this scenario.
The only difference that I can see is that SOAP UI has access to the self-signed cert's private key, because that configuration points to the certificate's java keystore.
Note: In SOAP UI, I can mimic the failure I see when testing with external client applications by removing the keystore from the configuration or by submitting an incorrect password for the keystore.