For anyone else that struggles with this in the future due to absolutely no official documentation, you need to do the following on the client:
Create these registry keys and values:
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A7FD389F-FAC9-4772-B6AF-54E09F65A2A3}]
@="CPEPC_PLAP"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A7FD389F-FAC9-4772-B6AF-54E09F65A2A3}\InprocServer32]
@="CPEPC_PLAP.dll"
"ThreadingModel"="Apartment"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers\{A7FD389F-FAC9-4772-B6AF-54E09F65A2A3}]
@="CPEPC_PLAP"
Run the following command to enable Secure Domain Logon:
"C:\Program Files (x86)\CheckPoint\Endpoint Security\Endpoint Connect\trac.exe" SDL -ST Enable
You don't actually have to create the registry values before running the trac command but you do have to create the {A7FD389F-FAC9-4772-B6AF-54E09F65A2A3} keys under both CLSID and PLAP Providers.
If you create the keys then the command will set the values for you.
If you don't create the keys then trac.exe will not create the values and the logon screen icon will not appear.