EDITED: This document describes the configuration for TouchDown policies, but for client cert configuration you will have to follow MIs advice on the selection of the certs for the tunnel. As far as i know the current iOS touchdown should accept the cert from MI and use it for authentication.
The attachment at this link describes the configuration you can do with MI. MI support is quite familiar with the server side configuration nuances
https://support.symantec.com/en_US/article.DOC8663.html
-g