Certificate-based authentication is not working if it is configured with Certificate Revocation list (CRL) checking.
Workaround. For an existing Access Manager instance, add the following security permission to the web container server policy file and then restart the web container:
permission java.security.SecurityPermission "getProperty.ocsp.*";
For Sun Java System Application Server and IBM WebSphere Application Server, the security policy file is server.policy. For BEA WebLogic Server, the file is weblogic.policy.
For new Access Manager instances, the respective web container amconfig script has been revised to add this security permission to the security policy file.