First you have to add a valid Certificate to the ASA, then change following in the configuration.
[sourcecode]
tunnel-group SSLClientProfile general-attributes
authentication-server-group AAA-TACACS+
!
tunnel-group SSLClientProfile webvpn-attributes
authentication aaa certificate
[/sourcecode]
Then you can connect to the asa only with username and a user certificate.