Nick - you responded to an extremely old posting which the poster never updated.
Blair - This is documented in the Secure Login Client manuals. You can use both existing Kerberos and x.509 certificates if your users and configuration are maintained properly. If you have not hidden them through profile settings, they will show in the Secure Login Client and can be selected for Login to SAP.
Check out video 5 on this link: http://scn.sap.com/docs/DOC-40179