I have used this command to troubleshoot client certificate negotiation:
openssl s_client -connect www.test.com:443 -prexit
The output will probably contain “Acceptable client certificate CA names” and a list of CA certificates from the server, or possibly “No client certificate CA names sent”, if the server doesn’t always require client certificates.