I'm not aware of two-factor authentication support for using SecurId tokens, but there is Authen::OATH and based on that, Auth::GoogleAuthenticator, which implement OATH TOTP and HOTP.

OATH will generate the 6-digit number, but I already have it as the physical token is in my posession (it does change every 60 seconds). I want to be able to submit the form that contains PIN + Token code (pin is static + those 6 digits) and be able to pass the login screen. When I compare headers for when I submit the form manually by old method via certificate and by a new method via token, all entries are identical with the exception of the expected cookie values for session and time. I suspect that there is some ENV that I need to set. Logically it is the realm field that invokes the certificate or the ace server, so my request does not get to ace and the header comes back without cookies set with the "invalid username or password" message (when I use mechanize as oppose to login in manually, which is fine). Any ideas? The SecurId is using Juniper.

Ah - I thought you wanted to completely replicate the login, given the securid secret.

If your problem is "only" with replicating the communication and not with some Javascript involved in the browser, the difference must be in the data that gets sent. If all headers are equal (except for the timestamps, and session cookies), then the difference must be in the payload data.

I don't know if SSL certificates get triggered by the URL or only by the host. If they get triggered by the URL, you will have to look into how LWP::UserAgent chooses the fitting certificate(s) to verify that the correct one is chosen..