This indicates that the peer (IdP) rejected the certificate the SP presented, but did so using a layer of code inside the Apache mod_ssl module. This should never happen unless the IdP is wrongly configured by allowing mod_ssl to validate the certificate. You need to make sure the SSLVerifyClient option is set to "optional_no_ca".

If you think it is set, you're either wrong, or the certificate violated a built-in requirement that mod_ssl refuses to disable, and you should upgrade to a newer Apache version.

You may also consider running the IdP without Apache, which is now supported and documented.