Certificate Mapping for X.509 Certificate Authentication has been created and the Issuer DN has been copied from the CA Certificate by viewing it with OpenSSL.
The Issuer DN should be correct but the browser gets "Access Forbidden".
OpenSSL command line utility formats the DNS (Distinguished Names) by connecting their RDNs (Relative Distinguished Names) with comma+space for more effortless reading but CA Single Sign-On expects that the separator of RDNs is comma only.
e.g.:
# openssl x509 –in cacert.pem –text –nameopt sep_comma_plus | grep Issuer