Currently we have an application using stunnel being presented by a Citrix presentation server.  

The first user authenticates over stunnel with a PKI cert and every user thereafter creates a prompt for the first user again and again for each user that also tries to get into the app.  Is there a way for stunnel to be separated based on something that pertains to the user trying to get access?  We are using a PKI solution based on certificates.  It's like every new user is hijacking the first users' stunnel session.   Any help would be appreciated!

Thank you,