Came across this awhile ago during my earlier deployments of Exchange 2007:
Common name was webmail.domain.ca and the SAN entry was mail.domain.ca.
Testing SSL mutual authentication with RPC Proxy server
Failed to verify Mutual Authentication
What I learned here is that the URL you’re going to use for Outlook Anywhere HAS TO be the first entry if you’re using a SAN.
I remember trying to ask at Tech Ed 2010 North America whether this and the wildcard problem with iPhones problems was fixed in Exchange 2010 but didn’t end up getting an answer.