I have successfully enabled PIV authentication for CLI via ISE.  However, web does not work, gives me openresty error after entering my PIN.  Background - I am with DOI and obtained a certificate for the WLC from the DOI CA.  Our PIV cards are provided by ENTRUST.  I use the Entrust trust point for CLI. 

This allows me to use CLI PIV -

crypto pki trustpoint ENTRUST_MG_SVC_SSP_CA
enrollment terminal
authorization username alt-subjectname userprinciplename
revocation-check none

cyrpto pki authenticate ENTRUST_MG_SVC_SSP_CA

Insert Certificate HERE

ip ssh server certificate profile
user
trustpoint verify ENTRUST_MG_SVC_SSP_CA

Ip http secure-trustpoint (WLC trustpoint)
Ip http secure-client-auth
ip http secure-peer-verify-trustpoint (WLC Trustpoint) - I've tried using ENTRUST_MG_SVC_SSP_CA as well.
ip http secure-piv-based-auth secure-piv-based-author-only

TAC has been working on this for a few months with no resolution yet.  Any suggestions?  I've tried 17.3, 17.4, 17.12.1, 17.12.2 with no changes.