Problem turned out to have nothing to do with the IS.
Our outbound traffic was getting routed through two different paths, one of which is meant for web browser traffic only and required a cert that was not in our truststore.
Rather than load a new cert our network team bypassed our traffic form the web browser only route.