Thanks for the quick response Fraser. I did some more digging based on your suggestions, and I think I have a pretty good handle on whats going on.
We actually have 3 ipa servers, with ipa01 being the CA master. After I created the sub-CA, its keys were added to the /etc/pki/pki-tomcat/alias database on ipa01, but not ipa02 or ipa03.
The ipa client on our host was pointing directly to ipa02, and since the CA wasn't in the database it was throwing the error in my original post. By changing /etc/ipa/default.conf to point at ipa01 (and changing the certificate policy,) I was able to get certmonger to issue the cert I wanted.
So the question now is: Shouldn't the pki-tomcat/aliases database get automatically replicated from the master to the replicas? What configuration is responsible for doing this, and why might it not be working?
Thanks again for your help,
Ben