If that name matches an entry in the Domino Directory, you use the first entry from the full name field for further authorization. Otherwise, you use the common name from the certificate.
More data points for not keeping the entire PKI certificate in the person document and authenticating to it. Just use common name from cert if cert is valid and if common name is in directories, use the person from directory otherwise, use person name from cert.
1) Different systems send different authentication information for the same certificate. For example, using the same CAC (card that has PKI certs on it inserted in a card reader), Windows 7, Windows 10, and ActiveIdentity all send different information for authentication though the CAC is the same.
2) Competition, in this case SharePoint, is able to send a specifically crafted request to client for authentication that limits selection to one specific certificate type. Domino and some other systems just ask for a certificate. With Windows 10 especially, you have to select "More" and scroll through a list of certificates that often go off the screen to select the one you want. The list includes any that are on the machine in the person certificate store. SharePoint implementation here is able to limit it to just the certificate(s) they honor out of the multiple types.