I am trying to use the rest data connector with a client certificate. I never see the idp attempting to use the provided cert. This is using javax.net debug and debug log on org.apache.http, etc.
Something I notice in SecurityEnhancedTLSSocketFactory.java (from github source) is that the third SecurityEnhancedTLSSocketFactory constructor does not call its parent constructor. The others do.
I've otherwise done a lot of testing around it. The certs and target work fine with my own data connector, that use many of the same apache.http tools as you, but not in such a byzantine manner.
If you have other ideas where I might investigate please let me know.
Thanks,
Jim