If the mTLS client certificate fails when an intermediate certificate is used, and if an error on WAD debug similar to the following logs, 

[I][p:6711][s:1151737403] wad_vs_log_clt_cert_failure :98 19:mTLS: Traffic denied because cert auth failed, cert-cn xxx test1, cert-issuer:YYYY

CA 2021, cert-status:failure fail-reason:unable to get issuer certificate

[I][p:6711][s:1151736856] wad_vs_ssl_port_caps_c2p_on_client_hello:10743 19:mTLS: wsp(0x7f81b07048) handshake recv ClientHello record 3.1 client 3.3 supported 3.4

[V][p:6711][s:1151736856] wad_vs_ssl_c2p_check_alpn :24145 wsp=0x7f81b07048, alpn=h2

[V][p:6711][s:1151736856] wad_vs_ssl_c2p_check_alpn :24154 wsp=0x7f81b07048, vs server set alpn http2

[V][p:6711][s:1151736856] wad_vs_proxy_match_vhost :4407 19:mTLS: matching vhost by: x.x.x.x

[V][p:6711][s:1151736856] wad_vs_matcher_map_find :764 Empty matcher!

[V][p:6711][s:1151736856] wad_vs_proxy_match_vhost :4410 19:mTLS: no host matched.

Follow the following steps to configure the certificate:

config authentication setting

    set user-cert-ca "CA_Cert_root" <----- ROOT CA Certificate.

end

config user certificate

    edit "trusted-ca"

        set type trusted-issuer

        set issuer "CA_Cert_Intermed" <----- Intermediate CA Certifcate.

    next

end

To implement mTLS client certificate authentication, refer to this document:  mTLS client certificate authentication