From what I think I know, if you set your auth-method (in web.xml) to CLIENT_CERT, then the certificate should be the credential (i.e. password). So I would expect a check to see if user has authenticated against the authentication cache would result in the certificates being compared. Is this not what is happening for you? If you are using CLIENT_CERT, what password are you referring to?
I guess if I change auth-method from FORM to CLIENT_CERT, then user is not presented the login form to enter name and password.
Current login requirements are: user enters name and password (checked by one LoginModule), and then the certificate in HttpRequest is checked if it is registered for this user (by other LoginModule). Certificate added as a credential to the subject by the second LoginModule. If I could somehow mark this credential as "check needed always" (as with password)...