as in your case where you have client cert auth, which means that authentication is done as part of SSL handshake, which happens before actual "http" request is made to server.
so if the handshake fails because of wrong certificate, request doesn't even go further down the line to perform anything on server.
maybe you could look at some ssl handshake logging, but that would be config for sslengine if anything.
You might try starting WF with -Djavax.net.debug=all and then try to find a more narrow log level (or logger filter) once you see what you're looking for. "all" is like trying to drink from a fire hose.
There are some pointers in http://stackoverflow.com/questions/23659564/limiting-java-ssl-debug-logging
finally, it was really a minor issue.
I had the misfortune to configure keystore-provider=jks instead of "JKS" for the truststore in a security realm. (jks is a possible corresponding value in JSSE, but obviously in in wildfly)
The CLI configuration script works also with keystore-provider=jks, but after activating of verify-client=REQUIRED in the https-listener,
no connection is possible. At the first glance, it was not obvious that the problem is the wrong truststore configuration, so I get messed around.
SSL-debugging of server helped, finally.
I removed the superfluous call for keystore-provider as JKS is default after all and it works now.