The article references says:
Next, the driver contacts the key store, containing the column master key, in order to decrypt the encrypted column encryption key value and then, it uses the plaintext column encryption key to encrypt the parameter. The resultant plaintext column encryption key is cached to reduce the number of round trips to the key store on subsequent uses of the same column encryption key. The driver substitutes the plaintext values of the parameters targeting encrypted columns with their encrypted values, and it sends the query to the server for processing.
If I read this correctly, the CEK is used to encrypt and decrypt the data, and the CMK is used to decrypt the CEKs. So both keys are used by the client to en-/decrypt.
Or am I reading this wrong?