Another thing to look at here is what TLS Versions are enabled on the listen port.
I know with TLS 1.2 and possibly even 1.1 there are just more stringent security measures in place.
If the TLS version being used in the communication is 1.2 for instance then the client side will
need to present a certificate over to the server (gateway in this case) during the ssl handshake.
If you were to run a tcpdump or sniffer during the request you will see the client side initiate a 'Client Hello'
request to the gateway ... The gateway will respond with a 'Server Hello and certificate request' back to the client
at which point the client side needs to present a certificate to the gateway. The gateway will then accept
a certificate which is contained within it's Manage Certificates store which is marked with the 'signing client certificates' option enabled.
So from policy manager->Tasks->Transports->Manage Listen Ports->Select port 8443 or 9443 -> properties->SSL/TLS Settings and check 'Enabled TLS Versions' .... See if TLS 1.1 or 1.2 is enabled. If you disable 1.1 and 1.2 and then restart the gateway and test things again are you still getting prompted to provide a certificate to the gateway?
Again though, using only TLS 1.0 on a listen port is less secure than using 1.1 or 1.2
Hope that helps.
Daren