on the login page, edit the security assist authenticate user server behavior.
On the session tab, click the plus button and select the Status column to save the users status in a session at login.
Use that session when creating the access rule for the certificate.