Authenticate client certificate when it is already presented to F5 via header

I'm having an ongoing problem with a single client (all other users are fine) for a site that uses the following irule to request a client certificate and insert it via header if the clients ask for a specific URI.

Code
when CLIENTSSL_CLIENTCERT {
  HTTP::release
  log "Cert present, Proceeding"
  if { [SSL::cert count] < 1 } {
    reject
    log "Cert not present, rejected"
  }
}

when HTTP_REQUEST {
  if { [class match [HTTP::uri] contains dsg_selectivematches] } {
    log "Certificate required for: [HTTP::uri]"
    if { [SSL::cert count] <= 0 } {
     log "Holding HTTP request until a client cert is presented..."
      HTTP::collect
      SSL::authenticate always
      SSL::authenticate depth 15
      SSL::cert mode request
      SSL::renegotiate
    }
    else {   
    log "No certificate needed for: [HTTP::uri]"
     }
   }
}

when HTTP_REQUEST_SEND {
  clientside {
    if { [SSL::cert count] > 0 } {
    HTTP::header insert "SSL_Client_Cert" [b64encode [SSL::cert 0]]
     HTTP::header insert "SSL_Client_Cert_Chain_0" [b64encode [SSL::cert issuer 0]]
log "The Following Headers were inserted successfully: [HTTP::header names] SSL Verify Result: [X509::verify_cert_error_string [SSL::verify_result]]"
  }
}
}

I am no irule expert as you see the above code is "frankensteined" together but it works for all users except 1, who happens to be a major customer (of course) and it is an API based connection so makes it hard for them to change things and troubleshoot.

In my logs I see they only seem to get to the HTTP_REQUEST portion of the irule and nothing ever gets sent to the server. It appears, to me, that they are rejecting the ssl renegotiation but I wonder if the iRule isn't working because it is being presented with their client certificate right at the beginning of the session and not responding properly to being asked for a cert. Any help or guidance anyone can provide would be appreciated.