I think it will be good idea to open a TAC case, this requires more troubleshooting.Next step is to collect the "debug crypto ca 255" and "debug dap trace" from the ASA when you try to connect the Phone.
The IP Phones don't support CSD/Hostscan.Please apply this command on the ASA and let us know how it goes:tunnel-group VPN-PHONE webvpn-attributes without-csd
cjguinn, This is normally the URLs don't match.What is the URL you are using? Also can you provide the VPN section of the IP Phone configuration file and the "tunnel-group" configuration of the ASAAre you using "Host Id Check" on the CUCM?
We did a lab recreation here and we confirmed the VPN phone can connect using AnyConnect Essential License. This is an option instead of use the Premium License.
Mike,On the ASA you can apply just one certificate per interface, if this new tunnel-group (Different group-url) will connect to the same interface you don't need to create a new certificate for this one, you can use the one that you are using.Group-...
