There’re actually 2 distincts parts in client certificate authentication with Oracle DSEE or former Sun directory server versions.
The first part is really standards (TLS,SSL v3) based: both client and server authenticate to each other as they’d in a usual SSL handshake like HTTPS. Then, ODSEE adds a second optional check (the 2nd part): it can make sure the certificate sent by the client is the same as the one stored in the LDAP entry for that client. That’s why if you want to use that option, enabling it also requires to configure ODSEE so that it knows how and where to find the LDAP entry representing the client in its database(s), and where to find the attribute in that entry.
The second check is primarily intended in case of certificate renewal of the CA, to make sure clients (especially browsers) will present the right certificate after a while, preventing them to use a possibly still valid (from a time validity point of view) certificate signed by the right CA but with an old CA key.
Also, notice that DSEE has a security related option to allow or require a client certificate, when running over SSL/TLS. In both cases, the client will present a certificate (if he has a valid one of course), but if you set the server option to « allow », DSEE will then simply ignore it.