If you configure Certificate authentication and enable “Match Certificate to CRL” the authentication fails. See also the related issue 4085: OpenSSO Enterprise is unable to store the CRL in the LDAP directory.