Hi,
This is how i usually do it
1. created a user with name xyz
2.create a private key with name xyz. ( make sure the cn value matches the user name )
3. from internal identity provider find user xyz, go to cert tab -> import, choose option import from known trusted certificate and choose the cert
4. from manage private keys exported the key as .p12
5. form manage listening port enable another port for example 7443 for policy manger access and from properties of this port assign server private key as xyz in software db
6. assign admin role to user xyz
7. now launch policy manger and from client cert option add the private key for xyz which we exported out previously.