My company experienced the same behavior with client certificates and iOS that are described in this thread. Through our Apple Enterprise contact, an Apple Systems Engineer recommended the following:
This is a known issue and something that Microsoft has issued a workaround for.
http://support.microsoft.com/kb/933430/EN-US
See method 3 in the index.
Method 3 resolved the issue for getting iOS 5.1.1 and 6.0 beta 2 to prompt and use client certificates with Microsoft Threat Management Gateway [TMG] on Windows Server 2008 R2.
For IIS 7.5 on Windows Server 2008 R2, I also had to enable client certificate negotiation. This setting must be enabled or disabled through the command-line. The only downside with enabling client cert negotation is that it caused our internal desktop IE8 browsers to also start prompting for client certificates instead of automatically passing the NT token through for the sites requiring Integrated Windows Authentication. I have not resolved the IE8 client certificate prompting yet.
I used the information from http://tuganologia.blogspot.com/2010/03/iis-75-and-70-certificate-trust-lists.ht ml as a guide, but instead of setting the CTL properties, enabled the clientcertnegotiation property.
A list of parameters for the netsh http add sslcert command can be found here http://msdn.microsoft.com/en-us/library/windows/desktop/cc307220(v=vs.85).aspx
There is no "update". You must look at the current settings, copy the information, delete the SSL server certificate binding, and then re-add it with the modified settings.
First off, we need to run a command console with elevated privileges (run cmd.exe as administrator).
For my servers, I did the following:
Execute the command: netsh http show sslcert
Make note of the results (i.e. copy them into Notepad).
netsh http delete sslcert ipport=0.0.0.0:443
netsh http add sslcert ipport=0.0.0.0:443 certhash=<hash> appid=<appid> certstorename=MY clientcertnegotiation=enable
The other parameters seemed to be at their defaults and I did not specify them in the command-line when re-adding.
Execute netsh http show sslcert again to verify the settings look the same as the original but with clientcertnegotation enabled.
One more note, client certs only seem to work with Mobile Safari. After applying the Microsoft server-side changes, only Mobile Safari would prompt for and use client certificates. Chrome, Atomic Web, and iCabMobile browsers on iOS do not seem able to utilize client certs installed on iOS.
Hope this helps.