If anyone else has run into issues configuring mutual authentication / 2-way SSL between IIQ and a Cloud Gateway, the standard SP guide is lacking a bit of troubleshooting info:
If you run into an error “unknown CA” when testing connection and you’re sure your key & truststores are configured correctly, you may need to specify your sslimplementation explicitly on your cibserver server.xml 
We need the JSSE implementation provided as part of Java runtime. Normally it’ll choose the correct implementation by default, but this may not always happen.
By adding the below sslImplementationName to the server.xml, we got our connection working. Full connector tag for context.
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" server="Apache" SSLEnabled="true"
scheme="https" secure="true" sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
keystoreFile="keystore/keystore.jks" keystorePass="***********" keyAlias="cibserver"
clientAuth="true" sslProtocol="TLS" />
Hopefully this can help anyone troubleshooting a similar issue in the future
