I am not sure how your 'vendor application' works but one of the ways
you can use FIP user to authenticate. for example
you have a browser on your laptop and you are hitting policy on gateway.
1. you would create FIP Identity provider on gateway with user 'JOHN'
2. now you would create a private key named JOHN
3. generate CSR value, signed it by CA certificate
4. go back to private key John, replace certificate chain by signed cert. that will import root cert ( CA Cert) and your signed JOHN cert
now go back to FIP identity provider > properties and add only root cert to it ( which tells it, trust any cert that comes in and signed by this root cert, as long as username and CERT CN value matches. ( our case JOHN)
5. now, export this private key
6. import it to a browser
7. access the policy that has Require Cert SSL TLS assertion .. and Authenticate against FIP identity provider assertion
8. your browser should offer that private key and go through the policy
*****************
if you have more questions, you more question, you might wonna open a case with CA SUPPORT
NOTE: sorry if I misspelled something I was just brainstorming here ...