SwitchYard has a CertificateCredential, a SOAPMessageCredentialsExtractor which can extract Certificates from a BinarySecurityToken WSSE header and creates CertificateCredentials (there is a junit test for this), and a CertificateCallbackHandler which can respond to a PicketBox ObjectCallback.

However, two things should be done:
1) Create our own ObjectCallback so as not to depend on PicketBox libraries.
2) Create our own CertificateLoginModule to verify that the caller supplied certificate was signed using the public key in a configured keystore.

As described above, most of the hard legwork is done. Looking at the JBossESB CertificateLoginModule, the work of doing this final piece appears simple.