I'm going to make a blind stab at this as I don't fully understand your question.
Certficates are used to authenticate the VPN client (the software) more so than the user. ACS does not provide certificate authentication. The CA provides validation of the certificate.
If you would like the Pix to authenticate a username/password in addition to checking the certificate for accounting purposes, then you'll need to use this:
crypto map map-name client authentication aaa-server-name
This will make the Pix to authentication of all dynamic VPN clients against the ACS server. It won't provide true accounting though. For that, you must configure the global [aaa authentication] and [aaa accounting] on the Pix.