I had recorded an internal-only developer class on this new feature, so let me try to convey this.

At the start when loading the site in the Guided Scan wizard, the user should get the prompt to select their certificate.  This assumes that loading that page is what triggers the cert request, and that the user already has their CAC cert listed in the Windows cert store for them to select.  WebInspect will only be able to browse these sections of the Windows cert store:  Local Machine and Current User.

The certificate selection window will include a sub-entry area where the user can enter and Test the PIN needed to unlock the selected certificate.  If the high-lighted cert does not require this, then that sub-area is not shown.  Once entered and selected, WebInspect will use that PIN as needed to access that cert throughout the scan.

If you prefer to use the Basic Scan Wizard, or pre-setting the scan details (Default Scan Settings), open the Scan Settings dialog (lower left corner of Basic Scan wizard), and go to the Authentication panel.  Enable the box for "Client Certificate", then press the Select button and go through the same selection window and Pin Test as described above.

For scanning SOAP-based web services, you would find this same cert selection dialog by opening the Web Services Scan wizard > open the Web Service Designer tool (Design button) > Settings menu > Network Authentication panel > "Client Certificate" button.