Quick update. It appears we'll end up going with the ACA module option for Cert and Form stepup with multi-match option.
I marked the reply mentioning this as the correct answer.
One thing for anyone wanting to implement it, there's a couple known issues (opened cases and should be addressed in future release):
1 - If you have an incorrect path the configuration file in the auth scheme, it will crash the Policy Server. Make sure you enter the right path.
2 - To do the multiple match step-up you also need to include this in the parameter list "multiplematchresolution=StepUp" . This was not in the document included with the module.
If you don't do that in the scheme then the errors will say that the authenticated user did not match one of the DNs of matching certificate.
E.g.,
fcc=https://mylogin.company.com/certandform/SmX509StepUpLogin.fcc?cert+forms;option=StepUp;tokenTtl=120;tokensep=~;MultipleMatch=yes;multiplematchresolution=StepUp;cfg=C:\PSPath\SmX509CertAuthSettings.cfg
--------------------------
And an helpful hint that at least seems to work ok so far
If you want all your users to be in the same OU in a directory, leverage the "User Object" on the user directories. Since it just uses the Certificate Mappings defined, if you also need to support normal cert-only authentication but assign that cert to multiple users it will fail.
To support both the cert+form w/ mapping to multiple users and cert-only w/ mapping to a single user, specify a unique attribute to identify each group. This way when the search is executed for cert-only it finds ONLY a single user for normal log in. But during cert+form of a "privileged" (or shared or test or whatever others you have) account it will fall to DirB, find multiple users, and step-up to higher level in this case based on the multi-match option in the scheme.
Example:
DirA
Description: Standard accounts with single matched certificate
User Object: (!(accountType=privileged))
DirB
Description: Privileged accounts
User Object: (accountType=privileged)