I can't think of any reason why we shouldn't simply change the ssl-ca-cert line in up2date and rhn_register when the customer installs a new SSL client cert RPM. If they're installing the cert, it means that they want to use the cert, and it cuts down a step during the install.
this has gone on long enough, no one has officially complained so I'm closing this.