Unfortunately I don't have any first hand experience of this. I believe both JSecurity and Acegi Spring Security handle X509 certificates and there are plug-ins for both of these in Grails. In chapter 5 I show how to use the JSecurity plug-in, although the application just uses simple username and password form authentication.
Alternatively, is this something that you can let the servlet container (i.e. Tomcat) handle when deploying to production?