When you try to connect to a provider with a certificate, you can get the message below e.g. in your Windows Event Viewer under Application.
The issuer of the Security Token was not recognized by the IssuerNameRegistry. To accept Security Tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.
If you are using the thumbprint of the certificate in the web.config everything might seem to be correct. But the problem can be that you copied the thumbprint from the certificate. When you copy the thumbprint from the certificate you get an extra “invisible” stop-character (shown with yellow below) included in the copy and the pasting to the web.config. Don’t copy the thumbprint from the certificate. Just type it in manually.