You may need to add / point to a cert in the NDS database.
I know there's an option in MS AD for specifying a cert for each user object.
If you use only the ACS (no NDS) do the clients authenticate ok?
IIRC, the certificate is used in lieu of a username and password;there'd need to be some way to associate the cert from the client to a username in the directory.
I haven't played with it yet (or read about it), so I'm just offering a suggestion off the top of my head. If I get a chance, I'll check it out in the Lab at work and let you know.
Good Luck
Scott