In an article last year Citrix Tech Guru, Jay Tomlin, shared a workaround that overcomes a limitation of the Presentation Server client: if an Access Gateway were configured to require SSL client certificates (such as those found on user smart cards), then ICA client connections would fail because the ICA client couldn't present a client certificate during the SSL handshake.
In this report Jay is happy to report that this limitation has been addressed with the release of the Win32 Presentation Server client version 10.1. Somehow this new feature managed to escape the readme.
Access Gateway (any edition) can be set to require a valid client certificate before allowing users to log on, and Access Gateway Enterprise Edition can go further and actually authenticate the user based on the certificate alone. When the option to require a client certificate is enabled, and Web Interface is configured to send Presentation Server clients through the gateway unassisted by a network-layer tunnel, the ICA client must perform its own SSL handshake with the gateway and pump the ICA traffic through that SSL tunnel.