Move HttpClient TLS TrustEngine use to a X509TrustManager impl

Implemented as described.  There's a new ThreadLocalX509TrustManager, which evaluates thread-local trust engine and criteria set.  The SecurityEnhancedTLSSocketFactory now is greatly simplified and is just about setting up the thread-local data and ensuring that it gets cleaned up later on.

I think it works a lot more sensibly now.  In this model the "inner socket factory" of the security-enhance one is no longer a no-op one.  Its configured trust manager actually does all the real work, including the hostname verification.

I ran into one minor issue in the IdP, in the unit test for HttpClientProxyValidator.  With the new trust manager impl, instead of seeing an SSLPeerUnverifiedException on cert validation failure, one now sees (what I believe is) the standard JSSE behavior of an SSLException wrapping the original CertificateException thrown by the trust manager.  The CAS component does some eval of various exception types and re-maps/re-thows in some cases.  So the assumption in the test of the concrete exception type that percolates out was now wrong and needed to be adjusted.  I doubt this really has much practical effect, since a TLS failure is a failure.  I'll let @Marvin Addison  comment if he thinks otherwise.