SSL termination is occurring on Layer7 when the port is configured with Client Authentication set to Optional. Is there anything in your knowledge base that could provide an idea why this is this happening without going into SSL debug logs, etc.?

API Gateway 10.1

On a SSL handshake, the handshake (Server hello, certificate ) provides possible certificates to authenticate with based on the gateway's trusted certificate store. That certificate list is returned to the browser. If a browser finds a list in its own trust store it will optionally present the option to choose this certificate to authenticate with. (It's a browser function based on the SSL handshake). This is quite normal and the certificate that is showing in the browser popup is likely the certificate that you have added to the gateway's trust store. This is the expected behavior when the Client Authentication is set to Optional.

It is recommended to set up a new listen port for services that don't need a certificate and set the Client Authentication to None. This will prevent users from being prompted to choose a certificate. If you make this change on a currently used listen port (like 8443), this may break other clients that require client authentication.

REF: Listen Port Properties