Good question. This may have something to do with multi-valued attributes support in DAP, which may still be limited to aaa.ldap.memberOf. Use "debug dap trace" to understand how ASA parses certificate DN. You should see both subject_fulldn and subject_ou there. I believe that each OU component will be represented as a separate DAP attribute, e.g. subject_ou, subject_ou_1, subject_ou_2, etc. So, you may need to use Lua script to match them, as I'm not sure that ASDM can do the job in this case.
I remember I used the following Lua script to match single OU value:
local match_pattern = "CA_Users"
for k,v in pairs(endpoint.certificate.user) do
match_value = v.subject_ou
if(type(match_value) == "string") then
if (string.find(match_value,match_pattern) ~= nil) then
Use the following as a reference:
and let us know how it goes.