Already quite some time ago, I patched stunnel to enable it to dispatch (no pun intended) incoming connection requests to target host address/port number combinations depending on the subject of the presented client certificate. The lookup for that is done in an LDAP directory. I’ve posted the patch (written in my copious free time :) to the stunnel users list and to the webmaster for inclusion in stunnel’s patches page. As soon as I’ve tested it in a real world environment (coming shortly to a theater near you) I’ll write some documentation.
The full patch and a little description are here