I'm a programmer at my organization, but somehow got drafted into looking into some server stuff so forgive me of my ignorance:
They want to give our sales people secure access to our internal sites using their iPads. This must be secure (obviously) but also revocable from the company's side (if someone quits they can no longer access our network).
I see from http://support.apple.com/kb/HT1288 that the iPad supports "RSA SecurID", "CRYPTOCard", and "Kerberos" authentication methods. Will one of these do what we need? Are there any major differences between them?
Many vendors offer iPad clients for their VPN solutions, including OpenVPN. These can be downloaded from the App Store. You'll have to weigh the costs/benefits of each yourself, though.
Once you have a client connecting to a VPN server in your network, it is trivial to disable an existing account. Specific instructions for how vary by vendor.
Edit: Apparently the OpenVPN client requires jailbreaking. Juniper/Cisco/etc still offer non-jailbroken apps, though
Take a look into Juniper's MAG or SA series gateways. They're not that expensive, have an iPad/Iphone/Droid client, and can authenticate against certificates, users, LDAP, whatever. You can very strictly control access.
The "methods" you describe are merely authentication mechanisms, and those can be used in conjunction with such a solution, or a PPTP vpn, or insert VPN device of your choice here.