We are actually working on this right now for a customer. If you can wait a week, we're going to post an interception script, and recipe. Its more complex than you might think.
We'll define a path in the tomcat container that requires cert authentication, for example https://idp.example.com/oxauth/cert
The tomcat config will look something like this:
<security-constraint>
<display-name>Cliet Cert Authn</display-name>
<web-resource-collection>
<web-resource-name>Client Cert Login URL</web-resource-name>
<url-pattern>/certlogin</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<login-config><auth-method>CLIENT-CERT</auth-method></login-config>
When the person logs in, they will be redirected to this folder, which will force a re-handshake for SSL/TLS, which is needed so we can obtain the client cert in the web session. At which point, we'll be able to write a custom authentication interception script to inspect the client certificate, and compare claims in the cert versus a user's entry in LDAP.
Stay tuned... we'll post to this ticket when its done.