Please use an "Add Audit Details" assertion that has the value "Found client certificate for user ${request.ssl.clientCertificate.subject.cn}" which will log the actual CN of the Client Certificate.
In version 10.x,
Extract Attributes From Certificate Assertion can be used for certificate attributes.
In a policy, the Extract Attributes from Certificate assertion must be preceded by the following criteria in case the Source variable is not specified in the assertion:
At least one credential source assertion:
Require SSL or TLS Transport with Client Authentication
Require WS-Secure Conversation
Require WS-Security Signature Credentials
Require SAML Token Profile
(Subject Confirmation: Holder of Key, Require Message Signature)
An identity assertion (for example, Authenticate User or Group)
${ <prefix> .subject.dn} Contains the subject DN in a format that is easier to read.
${ <prefix> .subject.dn.canonical} Contains the subject DN in a format suitable for comparisons (limited subset of entity ID names; strict sorting, whitespace, and case rules).
${ <prefix> .subject.dn.rfc2253} Contains the subject DN in a format that is technically precise, yet maintains readability. This only includes RFC 2253 entity ID names.
${ <prefix> .subject.cn} Contains the "cn" value of the subject (e.g., jsmith)
Some additional certificate attributes are also available through the assertion.