Thank you, EKU clientAuth was missing, including it got p11_child working.
However still no luck with using the key with sssd and pkinit. kinit works fine with the key, but login (tty and lightdm) never asks for the pin. Instead it ask for a password two times and accepts the second as a local user-no-kerberos-login, when the key is plugged in, and only one time when the key is not plugged in, giving me a kerberos login with ticket.
I looked into the code and did some debugging and found that krb5_child signals SSS_CERT_AUTH_PROMPTING (code 12) to pam_sss, which it does not know how to handle. But I may be totally mistaken here. And anyway without clue.