During the Create/ActivateSession the client and server prove to each other the possession of their private keys by creating the Client/ServerSignature, these signatures are created with the Client/ServerCertificate exchanged during CreateSession. For these checks to make sense the Client/ServerCertificate needs to be trusted and for the ServerCertificate it is stated:
"The Client shall verify that this Certificate is the same as the one it used to create the SecureChannel."

So the client may only accept the certificate already trusted in OpenSecureChannel, for the server however no such statement exist about how to verify the ClientCertificate, the only indication is given in the description of ActivateSession:
"Subsequent calls to ActivateSession may be associated with different SecureChannels. If this is the case then the Server shall verify that the Certificate the Client used to create the new SecureChannel is the same as the Certificate used to create the original SecureChannel."

So there is a strong indication that the ClientCertificate must also be the same as used for OpenSecureChannel, if this is the case the ClientCertificate parameter should also be extended with the following text:
"A Client shall prove possession by using the private key to sign the Nonce provided by the Server in the response. The Server shall verify that this Certificate is the same as the one it used to create the SecureChannel."