I've done something like this, but never with native ACE. What I did find when using Radius for secondary authentication was that - when the secondary authentication failed - no variables of the form [email protected] were populated.
I just tried what I think you are attempting, and see a difference between the parameters when ACE authentication is successful and not successful. If authentication is successful, then the parameter [email protected] (assuming ACE is the name of the secondary auth server) is populated. If authentication is unsuccessful, then [email protected] is not populated. So, you might be able to make a decision based on that.
I would be concerned about the number of failing authentications you would have through the RSA server. If your population that has tokens uses them everytime, then all will be OK. If they sometimes log on without their token, then that would be a failed authentication to ACE. Too many of them in a row disables an ACE account.
Also, it does not appear that you can do secondary authentication and not enter a password for that authentication with the standard pages. You could do custom pages and fill in some dummy password if the user did not enter one.
I was having quite a difficult time with this setup a few years ago. Ideally I would have liked to do RSA as the primary and AD as the secondary. However, if AD is secondary I cannot pull back group memberships to do proper mapping (AD is our central book of records). Having AD as a primary would work, however putting AD up for the world to try and lock out seemed like a pretty bad idea...
In the end I came up with this solution (due to a multi-domain environment and the need for a single web site sign-in for all users):
RSA as primary sign in
RADIUS as secondary sign in, which does LDAP lookups, authentication and returns group memberships via custom scripts.