Nuxeo 10.10-HF23 introduces Tomcat 9.0.31 which breaks tls_client_auth in Nuxeo applications due to the issue described here: https://stackoverflow.com/questions/64911070/clients-certificate-authentication-issue-in-tomcat-in-7-0-100.
In a nutshell, Tomcat 9.0.30+ no longer accepts ssl_client_cert headers from nginx now that "strict header value parsing" has been implemented to resolve a CVE.
The following blog post describes the solution one vendor implemented to resolve this problem: https://connect2id.com/products/server/docs/guides/tls-proxy.
Implement a SSLValve to use the new nginx header "ssl_client_escaped_cert" (when available). And contribute this code to Tomcat team which is pretty responsive in general.