I have been wondering about this as well. Specifically around securing a client cert private key password.
Given that the details for the site are stored in the profile manager, I assume that the client cert private key password would also be covered by TEA?
What I am not clear on is how the key for TEA is set. I can't see an option to supply a password, for example, to serve this purpose.
Failing that, is there a way to provide the client cert private key password only at connect time?