Q: How do I limit access to the CLI on the IDS/IPS SSM from ASA?
A: You can create user account separately in ASA/Firewall and IPS/SSM.
Basically, any account created in ASA/firewall can be used in SSM/IPS, unless if you used identical/the same username & password .
Q: Assuming I don't know the SSM 'cisco' user password or any other accounts (service, etc..), is there any other way for me to get into the SSM?
A: Yes, but you only used the following option below as last resort if you lost all means of access - all admin user accounts, including Service Account.
The only way to access the SSM is with recovery process where you have to start everything from scratch. Maybe this is due to security reason (which you're supposed to ensure admin account is maintained correctly).
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a00804596f0.html#wp1034193
Normally, it's a good to have at least 2 user accounts with admin priv, just in case you forgot the 1st one. The Service Account is meant for TAC Support.
Hope this helps.
AK