You will simply have a different login module. Roles are treated exactly the same. You can use a module that does its own role loading (such as CertRolesLoginModule and DatabaseCertLoginModule) or stack a role loading module after the authentication module as is done in the wiki example:
OK, I think I understand how it works now:
We add 2 levels of authentication: a certificate login module or a login role module.
The first level of authentication would be the certificate login module, and after that, using the user/password already authenticated ("useFirstPass"), it will match the role associated in the roles.properties.
That's just fine. I was supposing that the certificate login module could handled also the roles, but it never can do that because it was never designed for that. It must work in collaboration with a specific role login modle.