It sounds like you might be mixing together two different things - Code signing certs, and SSL configuration.
Publishing updates requires a code signing certificate. This can be a "WSUS Self Signed" certificate. This is the cert that needs to reside on the client machines.
Using SSL uses a separate, SSL certificate, which IIS needs to be configured to accept. This certificate needs to reside on the WSUS Server, and on the SCCM Server. This doesn't need to be on client machines unless you require all connections use SSL.
One thing to try in IIS is to go to the WSUS Administration Site > Client Web Service > SSL Settings, and uncheck the box to "Require SSL". If there's an issue with client authentication related to SSL, then unchecking that box should allow client to access the resource. SSL connections can still be made with this box unchecked. If unchecking the box doesn't change anything, there may be an internal proxy/firewall authentication issue.
The self signed cert is explained here:Creating, Exporting And Importing A WSUS Self-Signed Certificate With The Shavlik Patch Plugin
Our SSL guide is here: How To: Configure IIS to Use SSL Connections on Your WSUS Server - Self-Signed Certificate
SSL is not strictly required (though recommended by MS)