hi,
for posterity's sake, this appears to be a problem with kcm (whatever that is, don't know yet, will look it up later).
I turned it off in /etc/krb5.conf.d/kcm_default_ccache (just comment the two not comment lines) and after restart sssd or rebooting, with selinux enabled, it works.
the ticket cache falls back to a keyring one and after logging in with just a pin code and the certificate in the card, I have a token.
I have learnt a lot about how this works ;-), thanks Sumit, Alexander and, indirectly through her blogpost, Florence.
Would it be possible to allow two or more certificates in the smart-card? We plan on using yubikeys, and that is just one of its strengths: several slots to keep different keys.