You can profile the db during authentication to find out the format of subjectDN.
You might be able to enable access logs on app tier, which should contain subjectDN.
I am not sure other circumstances when which 403 is returned. My guess would be; anytime authentication fails i.e. either there is problem during authentication or user does not have permission.
[Message sent by forum member 'ntonne' (ntonne)]
http://forums.java.net/jive/thread.jspa?messageID=294492