The SSL certs that we use contain multiple cn's in the dn, such as
dn="cn=%1, cn=hostname, cn=app, cn=project, ou=team, o=company, c=ww"
I do not know why they are created in this way. It is probably something legacy related. Anyway, with this ActiveMQ cpp will not find the hostname from the dn and fail dual ssl authentication.
Here is a page on openssl that states the specific limitation of the method used in the code http://www.openssl.org/docs/crypto/X509_NAME_get_index_by_NID.html
And this link shows an example usage of the suggested method