Tim,
I've setup this up in the lab and was able to get the scenario to work with 2 certificates that share the same subject name. STeps I took were:
1) Created a CA and Intermediate CA structure and signed 2 certificates with the CN of OU=Support,O=CA,C=CA,ST=BC,CN=communityusera against the Intermediate CA
2) Using the private key and a certificate chain including the leaf certificate, intermediate CA and CA created 2 P12 files for client mutual authentication
3) From the Policy Manager, imported the Intermediate CA into the Manage Certificates and checked "Signing Client Certificates" and Certificate is a Trusted Anchor.
4) Created a new FIP provider with the Intermediate certificate called Community. Once it was created then created a Virtual Group called CommunityUser with the X509 Subject DN as "OU=Support,O=CA,C=CA,ST=BC,CN=communityusera"
5) Created a new Service with the URI /cert and added in a Require SSL or TLS Transport with Client Certificate Authentication assertion, Authenticate against Group linking to the new Virtual Group, and a template response with something to let me know that it succeeded
6) Tested logging in against the new service with each of the newly created P12 files and making sure they were successful
This is a very locked in approach and can have issues if the newly updated certificate was not signed by the same certificate authority.
I would suggest that you creating an Idea in our community on how you would like this to work.
Sincerely,
Stephen Hughes
Broadcom Support