I ran into this issue myself last night and found that the enhanced key usage on the cert needs to include:
Server Authentication (1.3.6.1.5.5.7.3.1)
Client Authentication (1.3.6.1.5.5.7.3.2)
This doesn't appear to be explicitly stated anywhere in the documentation and should be added.
... View more