This functionality exists using secondary verification certificates which exists in our New 12.6 Ca Single Sign On Version (Siteminder).
Only the 12.6 version can configure a secondary verification certificate alias at the IdP and SP to verify the signatures on messages.
A remote entity can issue a new verification certificate any time. A sentence to best answer the particular question above is the following
Specifying a secondary verification certificate eliminates the need to coordinate system-wide updates of signing and verification certificates simultaneously.
This information above is based on the link below in Additional Information