Yea I second that, and have been doing this combination for years. For the client programs:

  Pidgin with OTR - Linux/Windows
  Adium with OTR - Mac
  ChatSecure/ZOM - iOS/Android

Used on top of some XMPP service underneath such as Cisco Jabber.

On that matter: Can anybody recommend XMPP clients that support GSSAPI/SASL/Kerberos user authentication?

I'd really love to implement thorough self hosted SSO infrastructure that authenticates against a crypto token (Yubikey, Nitrokey, GPG smartcard). Doing this for e-mail and SSH logins is straightforward (BT;DT). And the Prosody documentation is promising with that respect, so the server side should be doable as well. But on the XMPP client side all I can find are some maillist posts where people supposedly got it working with Pidgin, but no howtos or similar to be found.

One thing that I also want to implement is kerberized OAuth and OpenID; however there are only very few services where you can actually log in with something other than Google, Twitter or Facebook – StackExchange used to offer login via custom OpenID, but they removed that a few years ago.