I tried ClientCert 3 9 with no CAlist and got the same response. Even using openssl s_client I can't see the client certificate being sent.
Digging around, I think I know what the problem is but don't have enough knowledge of CA certs to configure Pound.
Briefly, I found that the CA I'm using  created a new CA certificate in August, signed by a new CA root certificate. The new CA cert signed the server certificate. The client (user) certificate was signed by the 'old' CA cert (as it was issued before August). I'm told this has even confused some of the 'experts' using this CA, so this may explain some of the problems (as I'm not an expert).
So, in Pound I've got the two .pem CA certs in my CAlist (as these are the signers of the certs I want clients to present). Is this correct?
In the VeryifyList file I've got the .pem CA root cert and both the old and new CA certs as this provides the chain to verify the presented certs. Correct?
In my browser I've got the user key/cert, old and new CA cert and root cert (to validate the server's certificate).
Thanks again for all the help you've offered.