I have a corrected answer to add to an archived question.

https://archive.sap.com/discussions/thread/3366849

We had the same question and SAP advanced technical team took over 10 days to come up with the proper answer...

It turns out there is a hidden setting that you need to set...

Add/Change the parameter ssl/client_ciphersuites to following value in default profile:

this is the hard part, that hardly anyone knows:

Parameter Name: ssl/client_ciphersuites
Parameter Value: 16:HIGH:MEDIUM:+e3DES:!aNULL
CHANGE SSL CIPHER SUITES TO ENABLE BLIND SENDING CLIENT CERTIFICATES

Force ECC system to always send client certificate regardless of the trusted CAs returned by the third party.

that was the hard part, now the easy part, and everyone already knows this:

https://blogs.sap.com/2008/10/31/calling-webservices-from-abap-via-httpsssl-with-pfx-certificates/
restart of ICM service is required.