Situation in the 1.2 branch
The default session cache that is included with PolarSSL 1.2 is not thread-safe.
PolarSSL modules assume that they exist in a single thread. If that is not the case, you should take caution to make sure that access to modules accross different threads is protected by mutexes.
Solution in the 1.2 branch
The session cache is only really useful if you use it as a global cache in your server. If you have multiple connection threads running in your server, you should encapsulate the ssl_cache_get() and ssl_cache_set() callbacks that you provide to the SSL layer (with ssl_session_cache()) with mutexes, to ensure thread-safe use!
Situation in later branches
Starting with the 1.3 branch and the introduction of the threading abstraction layer, the default session cache callbacks included in mbed TLS are thread-safe as soon as MBEDTLS_THREADING_C is enabled in config.h, see How do I configure mbed TLS.