One of my brilliant colleuges called my a couple of days ago and needed some help with config manager not accepting the client certificates.
The certificate was RSA 4096 and used MS default KSP. And the certificates wasn´t accepted by the CM client.
But when he tried the same configuration in his lab it worked just fine. And the only differens he could spot was that in the lab he used the AlternateSignatureAlgorithm=1 in the CApolicy.inf and got RSASSA-PSS as signature altorithm. And the customer hade a regular sha256RSA.
After some testing we found out that using sha256RSA then you hade to use a CSP instead of a KSP. But when using RSASSA-PSS you could use either a KSP or a CSP.
Might be a valid reason for that, but we didn´t dig further in to it. And since the customer was using sha256RSA we settled with a CSP.
You should of course always use a KSP over a CSP if possible, but I definitly recommend using sha256RSA over RSASSA-PSS every day of the week. More about that on this great blogpost: https://pkisolutions.com/pkcs1v2-1rsassa-pss/
BTW: It seems like stronger keys then 2048 isn´t supported in CM but it works just fine.