Sorry, should have been more specific, this was with -Dmaven.wagon.http.ssl.easy=false. If we switch -Dmaven.wagon.http.ssl.easy=true, we also get the keystore being ignored, but in this case we fail with a handshake failure instead of peer is not authenticated.
In both cases (false or true), Server Name Indication (RFC3546) breaks, the SSL handshake debug log shows the wrong certificate being sent by the server (the first certificate). Once the http-lightweight wagon v2.2 workaround is put in place, SNI starts working again and the server sends the correct certificate. I suspect whatever SSL options that the new code is setting, it is unintentionally switching other SSL options like SNI off.