Switching the outputs stanza as you advised to
[tcpout:group1]
server=splunk.mydomain.net:9997
disabled = 0
sslRootCAPath = /etc/pki/ca-trust/source/anchors/intermediate-chain.cert.pem
clientCert = /opt/splunkforwarder/etc/auth/splunk.mydomain.net.cert.pair.pem
worked. The client is now logging
7-15-2017 18:39:55.889 +0000 INFO TcpOutputProc - Connected to idx=10.101.21.34:9997
The indexer is logging
07-15-2017 18:34:59.115 +0000 DEBUG TcpInputConfig - connection_host=ip for 10.101.21.34
It does seem odd that the instructions show that it us supposed to be configured differently
[tcpout:group1]
server=10.1.1.197:9997
disabled = 0
[tcpout:splunkssl]
useClientSSLCompression = <true> Disabling tls compression can cause bandwidth issues.
sslPassword = The password for the CAcert
sslCommonNameToCheck = (Optional) <commonName1>, <commonName2>, ... sslVerifyServerCert must be enabled to use common name checking. Defaults to no common name checking.
sslAltNameToCheck = (Optional) <alternateName1>, <alternateName2>, ... sslVerifyServerCert must be enabled to use common name checking. Defaults to no common name checking.
sslVerifyServerCert = Defaults to false. If true, you must make sure that the server you are connecting to can be authenticated to. When enabled, the common name and the alternate name of the server are checked.
cipherSuite = (Optional) Splunk uses any specified cipher string for the input processors. If not set, Splunk uses the default cipher string provided by OpenSSL.
... View more