That looks really promising 
So does the certificate use the standard private key, or does it normally have its own? The strace above makes me think that it should have its own.
I think you could add a certificate private key to into an an ssh agent so I think if the certificate option is set then you'd want to wrap that in the certificate wouldn't you?