You could roll back to PEAP, using LDAP or MSCAHPv2 for authentication. You'll still authenticate the server and get dynamic keys, but the client authentication will still occur at the domain level.
Other than that, I don't think you can have a "mobile/portable" certificate (that would be more like a SecureID fob).
FWIW
Scott