Thank you Gabriel for reply.
I was able to resolve this issue. It turned out to be not related to ExcludeFirefoxNSSCertStore option at all. I got an error due to incorrect format of AnyconnectLocalPolicy.xml file. I took this file from Cisco's documentation@
http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac08localpolicy.html. However example is missing quotes on xmlns and xmlns:xsi elements in tag.
VPN client displayed "certificate invalid" error which is why I thought that it can not validate certificate itself:
>> error: The certificate on the secure gateway is invalid. A VPN connection will not be established.
But when I checked syslog I saw a more informative message which prompted me to validate xml against xsd schema.
May 30 13:19:13 MYHOST acvpnagent: Function: startParser File: Xml/CVCSaxParser.cpp Line: 182 Invoked
Function: xmlParseDocument Return Code: -1 (0xFFFFFFFF) Description: unknown
May 30 13:19:13 MYHOST acvpnagent: Termination reason code 59: Connection attempt failed due to certificate problems.