The test on line 947 of PK11Finder.c is if(certExists). Actually, certExists tells whether the associated key exists, which it will for a user cert. So generally importing user certs will fail.
I removed the check. It looks like NSS > 3.3 will silently ignore the second certificate. Fixed in mozilla/security/jss/org/mozilla/jss/manage/PK11Finder.c on JSS_3_1_BRANCH (22.214.171.124) and trunk (1.7). Michelle verified that she can now import a cert into CMS. To be really sure that this was the right fix, CMS should try it out with hardware, CA cert renewal, and all the other wacky situations they run into.