Mac OS X 10.5.3 (and later) / Safari:
You will be prompted to select a client certificate when server requests it.
An Identity Preference is then created for the associated URL and Cert.
Server Side Configuration Caveat:
Safari may not prompt you to select a client certificate if the server you are attempting to authenticate to is configured to *optionally* accept (rather than require) client authentication. Many of the US Federal Government web servers are configured for *optional* rather than *required*, since there is still a transition from User/Pass over to Smart Cards.
System will auto create Identity Preference *IF* Server configured for *required*
As noted in the KBase article referenced above, when accessing a website configured as *required*, Safari will prompt the user for the appropriate certificate to use for client authentication, but ONLY if it is configured as *required*.
Manually Creating Identity Preferences -- Server configured for *optional*
In this case you can force a particular client certificate to be sent by manually creating an identity preference item for the desired server authentication. Note that it is important to know the correct URL for the actual authentication process which may significantly differ from the standard login URL.
For example, if you are authentication to AKO:
NOTE:
It is best to not try and fully qualify the complete URL, but rather just include the FQDN - Fully Qualified Domain Name for the server you are authenticating to. Also, be careful and ensure you have terminated the URL with the "/" to complete the proper host specification. For example, do not just enter the above URL as https://akocac.us.army.mil without the trailing "/", because it will fail for you.
Also, make sure that you are selecting the *proper* Certificate from the card. *Proper* means the certificate expected / required by the Server for user authentication. It may require you to check with your local Admin or help desk to determine which certificate is required for that site.
Since you are manually creating the Identity Preference, you need to ensure that you are selecting the right one. The Certificate selected is easily changed by opening up the "Identity Preference" within your default keychain using Keychain Access and selecting an alternative Certificate.
Troubleshooting:
To provide you and Apple with the ability to troubleshoot why you may still be failing to authenticate to a given server, Apple enabled a debug flag which, when enabled, will log identity preference information to the System log (/\var/log/system.log).