Version 1.x of SoftHSM does not support handing certificates (only raw keys) probably because that is what is needed for DNSSEC. Design for a future version 2.x of SoftHSM is under way and that version may (according to sources in the project) support most of PKCS#11 in which case it should work for saml-md-aggregator.