Core issue
This issue is due to the presence of Cisco bug ID CSCea56044.
If two digital certificates have the same Common Name (CN) (though the complete Distinguished Name (DN) can be different), the VPN Client software is not able to use the second certificate. The VPN Client always takes the first certificate that matches this CN.
Resolution
As a workaround, perform one of these steps: