I can delete the cookie through a logoff action but it doesn't prompt the user to reenter their X509 password.
Are you talking about the password for their corresponding private key for their Certificate? If you are, they don't even have to have a password to their private key. They set that up themselves when they generated their public/private keys.
The password they use for their private key has nothing to do with your system, thus you shouldn't have any way of forcing them to re-enter a password.
If you don't like the idea of them being able to log in with only "something they have" then you'll need to implement a system with "something they know" also, such as a password. Right now if you are allowing log ins with Certificates then there really isn't a "log out" mechanism, except to remove the Certificate from the system. This is typically done with CAC's or thumb drives. The certificates stay on a mobile/removable type device and goes with the user.