Geneva Server runs in two modes: server and proxy. When a proxy STS communicates to its "master", it secures the communication with a certificate. Which cert does the master require the proxy use to talk to it? If you open the MMC, you'll see a Certificate node (as shown in the following screenshot):
Given this, you may ask yourself does the master server requires the proxy to use the one that is set under "Service communications", "Information card signing", "Token-decrypting", or "Token-signing"? The answer is none of these. There is a Proxies node in the same treeview. If you right-click this node, you'll see a "Add Proxy Certificate" menu item. This is where you configure the cert to be used not in the certificates node (obviously right?!).