X.509 certificates are digitally-signed binary documents. A certificate contains information about the thing (a person, a computer, or anything else that can be given a name) it identifies - the subject. This information includes its name, where it's located, and a public encryption key that can be used to encrypt data for the subject, or verify the subject's digital signature. The certificate is signed by an issuer - usually a Certificate Authority (CA) - who is vouching for the subject's authenticity. If one side of an SSL transaction (the client or the server) sends a certificate, the other side can validate that certificate and decide whether it trusts the user; if the certificate is invalid or the recipient doesn't trust the issuer, the conversation is terminated.
When SSL is used with HTTP (HTTPS), typically only the server sends a certificate. The client checks the certificate against a list of trusted CAs (also known as trusted roots), and performs some other checks in order to decide whether it's talking to the server it wanted to connect to. This helps prevent an attacker from impersonating the server.
It is also possible to have the client program (which may be a web browser, an application invoking a web service etc.) send a certificate, which identifies it to the server. This can provide additional security without making users send usernames and passwords or otherwise proving their identity.
CICS supports user sign-on with certificates for CWI servers.