Right, so do you see where the server rejects the connection right after the client sends its certificate? That almost always implies that the server is rejecting the client cert for validation reasons. You'll also get a much better look at this in wireshark. Use tcpdump to capture separate browser and web services sessions and compare them:
tcpdump -lnni [client side vlan] -vvvXs0 -w [file.pcap]
In the wireshark capture, look at this same client Certificate message. What you're likely to see is the client sending its cert and at least on subordinate CA cert. You shouldn't see this in the web services capture. In any case, if your client side PKI is based on multiple levels of CA issuance, example:
root CA -> sub CA -> sub-sub CA -> client cert
Then you'll need ALL of these CA certs in the bundle that you create for the Trusted Certificate Authorities option. A bundle is a simple text file with then PEM-formatted certs one after the other.
----- BEGIN CERTIFICATE -----
stuff...
----- END CERTIFICATE -----
----- BEGIN CERTIFICATE -----
stuff...
----- END CERTIFICATE -----
----- BEGIN CERTIFICATE -----
stuff...
----- END CERTIFICATE -----
The server (BIG-IP) must be able to validate trust in the client's certificate, so needs the entire client side PKI CA chain.