What were you trying to do that didn't work?

When selecting Login using certificate on the ipa/ui login page:

The modified value works (note the comma before CN):
X509:<I>C=US,O=U.S. Government,OU=NASA,OU=Certification Authorities,OU=NASA Operational CA<S>C=US,O=U.S. Government,OU=nasa,OU=People,OID.0.9.2342.19200300.100.1.1=tmberry,CN=THOMAS BERRY (affiliate)

The original AD generated value fails (note the space before CN):
X509:<I>C=US,O=U.S. Government,OU=NASA,OU=Certification Authorities,OU=NASA Operational CA<S>C=US,O=U.S. Government,OU=nasa,OU=People,OID.0.9.2342.19200300.100.1.1=tmberry CN=THOMAS BERRY (affiliate)

This value is produced by NASA and is intended to be applied to altSecurityIdentities across NASA Active Directory systems; JPL has successfully applied this value to its Active Directory.

Here is the Certificate Identity Mapping Rule:
Mapping rule: (ipacertmapdata=X509:<I>{issuer_dn!ad_x500}<S>{subject_dn!ad_x500})
Matching rule: <ISSUER>OU=NASA Operational CA,OU=Certification Authorities,OU=NASA,O=U.S. Government,C=US

• we found that this is deprecated, not sure if it applies
  We would like to point out that issuer-subject mappings are deprecated by Microsoft, see
  https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16
  for details. Recent version of SSSD on RHEL 9 and 8 will support those new mappings.