Here's what you're SSLDUMP string might look like:
ssldump -k -i 0.0 -AdNn port 443
-k - you need the physical location of the private (*.key) file that is specified in the client SSL profile
-i 0.0 - this means use all interfaces, but you can narrow it down to a single VLAN/interface
-AdNn - this esentially means decrypt the traffic if possible and clean up the capture
port 443 - this is your filter. SSLDUMP absolutely requires a filter string. YOu can narrow this down to an IP address or anything else as long as the filter is there.
What you're looking for are the initial client and server SSL handshakes, and more specifically, where it fails. You'll either see one of the parties mysteriously reset, or potentially a "fatal handshake" error. Please post what you find.
Also:
1. Do your client certificates contain a CRLDP or AIA field, and if so are those accessible?
2. In Chrome, under Advanced Settings and HTTP/SSL, do you have "Check for server certificate revocation" checked?
3. In Firefox, in Options, Advanced, Encryption, then the Validation button, what do you have checked there?