When the RSA Access Manager agent is configured for Protocol Transition and the authentication type is CERTIFICATE, the agent throws a 401 error when accessing protected content for the first time. If the page is refreshed the Agent displays the page, but a 401 is displayed again when the idle timeout occurs. This is because the certificate authentication occurs in the wrong place in the authentication order.
Change the setting for cleartrust.agent.iis.preproc_auth_enabled=TRUE. This changes the authentication event from the IIS OnPostAuthenticateRequest event to the BEGIN_REQUEST notification event.