By default, GlobalProtect automatically filters the certificates for those that specify a Client Authentication purpose so it is not necessary to specify the OID associates with Client Authentication. Note that if multiple client certificates specify the matching OID, GlobalProtect will prompt the user to select the client certificate from the filtered list.