Web Application and WCF hosted together and enabling AD FS 2.0 claim based signon

while trying to enable ADFS based single sign-on for both the web application and wcf, I got the wcf service working however when trying to access web app, I got the following error message: ID4036: The key needed to decrypt the encrypted security token could not be resolved from the following security key identifier Apparently we need to add the certificate for encryption of wcf sign-on, however this causes issue for the web application, tried various suggestion and no luck. At the end, I created another RP policy and separate the two and all work fine!