Please see http://acs.codeplex.com/discussions/242143:
1. The Entity ID in the WS-Federation metadata will be the Issuer Name in ACS. Please make sure that the IssuerName in the WIF STS token matches this entity ID.
2. The signing certificate should be in the WS-Federation metadata under the RoleDescriptor of type="fed:SecurityTokenServiceType". Make sure that the signing certificate you are using while generating WIF token matches this.