Over the years I have worked on a number of projects involving the use of mutually authenticated TLS as a means to authenticate users in browsers. One of the things that have prevented these solutions from getting broad deployment is the inability to log out once logged in.
You see the problem is that IE (and other browsers for that matter) don't provide a way for you to reset the TLS session once its established, well technically IE did (as of 6.0) in a very buried option in settings called reset SSL session state (like that obvious 
to regular Joes).
Well in IE7 they added a way for you to actually do this from JSCRIPT which means you can have a "Sign Out" button in your page just like traditional cookie based schemes use.
All you need to do is call:
document.execCommand("ClearAuthenticationCache");
And the SCHANNEL session cash for IE (all IE sessions) is rest; its a bit brute force but since it doesn't just reset that one session but its WAY better than closing IE and starting all over (especially now since IE supports tabs.