After wrestling with this issue for the last day, I finally got things to work. First, there's no need to modify the customize() method--The SslSelectChannelConnector automatically takes care of all those details.
The key was to properly configure the HttpClient instance, passing in the correct values for the keystore and truststore.
There is, however, a problem of hidden access to certain fields in both HttpClient (e.g. _keyStoreType) and BayeuxClient (which hard-codes non-SSL access). These two classes should offer setters (or constructor-time parameters) for modifying ALL relevant security implementations to work properly.