I got it,
I did everything from scratch again, but made sure before even beginning the tutorial in the article I did the following on the server and client:
/etc/hosts
192.168.2.5 puppet-db.apt15 puppet-db
192.168.2.4 puppetmaster.apt15 puppetmaster puppet
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
/etc/sysconfig/network
Set hostname to [server name].apt15
yum install ntp
ntpdate pool.ntp.org
ntpd
shutdown -r now (then login)
setenforce 0
Then start tutorial
I also had to use puppetd --server myserver.domain.com --waitforcert 60 --test from the documentation instead of the lines in the guide to get the certificate signed and accepted.
The SecurID tokens aren't supported because the validation software is non-free, as far as I know. I've had a lot of fun with the yubikey hardware OTP generator for better-than-username-and-password authentication via PAM. The yubikeys are also noticeably cheaper than SecurID tokens, and don't seem to have a limited lifespan.
Specifically, I've setup ssh using the yubikey for authentication, which opens up the possibility of using ssh-based VPNs. My writeup's at http://www.teaparty.net/technotes/yubikey.html if it's of any use to you. Everything involved is GPLed or better.
I've also seen people using PAM-based authentication steps with OpenVPN, which opens the possibility of getting OpenVPN to work with the yubikey. The guys at Securix Live say they're working on a fully two-factor PAM module for the yubikey, and while I haven't been able to get it to work yet, that would give you the final piece of what you asked for.
If you do get OpenVPN working with a yubikey, do let us know - and write about it!
Best Answer
I spent a while trying to find documentation on this, and got this from a Fortinet Engineer.
./forticlientsslvpn_cli --server 172.17.97.85:10443 --vpnuser forti
Make sure the command run from the sslvpn directory. Substitute the IP address with the one of your server .