First of all, I have to say that he question here is based on a migration project I have at work from Orion- to the Tomcat- webserver.
The thing I'd like some help with, is how to set up signing to applications; prefferably using SHA1withRSA, since that is the one we are using now and would probably cause a smoother migration?
We don't get paid here, so we're not exactly manning the desks all day long.
Unless Orion does does something I don't know about, that behaviour is built into your webapp and not part of how Tomcat or any other webapp server works. Usually if there's a client-side authentication certificate involved, it's just a matter of making it available to the user's browser, and then the webserver and web client negotiate its use transparently.
Customer surveys are for companies who didn't pay proper attention to begin with.