Hi Mark,
sorry, maybe my response was not clear enough. What you do explain is documented as a trusted intermediary. You configure the client cert for the proxy (intermediary) by setting.
icm/HTTPS/trust_client_with_subject
icm/HTTPS/trust_client_with_issuer
If you have username/password based auth, the username/password fileds are either part of a basic password conversation or part of the form which is used in case of form based auth. Header fields are only accepted by the JAVA system (HeaderVariableLoginModule) or limited to X.509 certificates by ABAP.
The way you explain it might work if you create your own login module, however not with the one provided by SAP. However I'm also not sure, why this is even required, given that the feature you are asking for (accept only proxies, that can proof to be trusted) is already available.
If you still want to do it via a login module, there is a (rather old) slidedeck from teched giving you some info on how to start.
Regards,
Patrick