I struggled hard to figure this out so I am putting it out there in hopes of saving someone else time. Writing a WCF C# Proxy service to the ACS API, I tried several of the .NET libraries suggested and finally arrived at a solution using System.IdentityModel.Tokens.Jwt from Microsoft. The real hangup was with the metascopes claim. It needs to be true as an object and not "true" as a string. The documentation on MSDN says that all claim values are strings but you can suggest a serialization by using an XMLSchema type. There are no examples so I tried xs:boolean to no avail and it fails silently, continuing to pass a string. The correct format for the argument is shown below.
Certificate storage is on your own, for now I am loading from a local .pfx file.