Unfortunately I don't know of a reliable way to do clean up, which is one reason I would think of a plugin maintained table which at least has the possibility of cleanup. This does point out a problem with the mentioned issue - if that is done there must be some reliable way to clean it up.
I'm not an SSL expert but something dangerous you could try is to see if there is an openSSL hook you can grab to do the cleanup. The dangerous part is it is likely the ATS core already has a callback in place so you'd need to retrieve that and call it from your hook.