You cannot authenticate the VPN client certificate with ISE. The authentication and validation is done on the ASA itself. You can of course issue certs to the VPN users using ISE and have the CRL checked against the ISE local CA, but the verification of the SSL cert is done only on the ASA for Anyconnect VPN. You can combine Certificate and RSA authentication on the ISE. If you set the ASA to send Radius request to ISE, which then forwards it to ASA, you can get authorization attributes from ISE if that's what you are looking for.