I think this sounds possible, although I'm not sure of the performance issues that could be incurred as a result of PDstorage (it strongly depending on how it is evaluated could be intensive in the IO department).
If you were to implement this you would probably maintain two PDstorage containers (to keep PDstorage usage to a minimum), one to indicate that the user has information in data-storage (this would reduce a lot of IO potentially) and another with the actual data-storage.
The data-storage would contain information about the sites that the user has acknowledged for overriding (such as the certificate serial #). Then when certificate verification takes place you would have a rule to A) check if the user has data in the storage, and B) check what information is in storage, then allow based on the certificate serial number.
Unfortunatley I'm a bit time crunched to mock this up.
Understand the time crunch. Will see what I can do with your idea.
If I'm interpreting correctly, one PDStorage instance would contain user id and site name and the second would contain user id and cert sha hash.
So user would go to a site and would get a coaching page. MWG would store two different bits of data -- one into PDStorage "Sites" and one into PDStorage "Cert Hashes" (or something like that). Then, when they went to a new site that had the same issue, MWG would first check to see if there was an entry for that site in PD Storage "Sites" and if there was an entry would compare against SHA1 hash in PD Storage "Cert Hashes"...
Or something like that?