Peter,
The following context variables are available in policy after using a "Require SSL or TLS with Client Certificate Authentication" assertion (note that the "Require Client Cert Auth" must be selected in the assertion):
${request.ssl.clientCertificate} Returns the client side SSL certificate presented by the requestor (this is an X509Certificate object.
${request.ssl.clientCertificate.base64} Returns the same certificate as above, but as a Base64-encoded string with no white spaces.
${request.ssl.clientCertificate.pem} Returns the same certificate as above, but as a PEM-encoded string; this is formatted in Base64 with newlines, enclosed in the following wrapper:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Is this something that you could use in your scenario?