Can anyone help me understand what is happening here?   I see a cert validation on the client and on the ASA I see No matching fingerprint in chain against the trustpoint in question.  

KI[14]: pki_ossl_get_cert_summary, pki_ossl.c:118
PKI[8]: ---------Certificate--------:
        Serial Number:
            50:4b:ea:5f:0c:3f:62:09:6a:ca:d1:4e:a4:5c:a6:1b:2d:b4:8f:ad
        Issuer: O=Cisco, OU=ccf6dc4a-9fe9-4c20-85a6-46d2709e8435, CN=SCEPman-Root-CA-V1
        Subject: C=US, ST=MD, L=SF, O=CISCO, CN=jblack@domain.com/emailAddress=jblack@domain.com

PKI[8]: End sorted cert chain
PKI[13]: pki_ossl_get_store, pki_ossl_certstore.c:61
PKI[12]: pki_ossl_rebuild_ca_store, pki_ossl_certstore.c:194
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:41
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:41
PKI[14]: pki_ossl_get_cert_summary, pki_ossl.c:118
PKI[7]: Cert to verify
PKI[7]: ---------Certificate--------:
        Serial Number:
            50:4b:ea:5f:0c:3f:62:09:6a:ca:d1:4e:a4:5c:a6:1b:2d:b4:8f:ad
        Issuer: O=Cisco, OU=ccf6dc4a-9fe9-4c20-85a6-46d2709e8435, CN=SCEPman-Root-CA-V1
        Subject: C=US, ST=MD, L=SF, O=CISCO, CN=jblack@domain.com/emailAddress=jblack@domain.com

PKI[12]: pki_verify_cb, pki_ossl_validate.c:344
PKI[8]: val status=1: cert subject: /O=Cisco/OU=ccf6dc4a-9fe9-4c20-85a6-46d2709e8435/CN=SCEPman-Root-CA-V1. ctx->error: (0)ok, cert_idx: 1
PKI[12]: pki_verify_cb, pki_ossl_validate.c:344
PKI[8]: val status=1: cert subject: /C=US/ST=MD/L=SF/O=CISCO/CN=jblack@domain.com/emailAddress=jblack@domain.com. ctx->error: (0)ok, cert_idx: 0
PKI[8]: pki_ossl_find_valid_chain took 537 microsecs
PKI[6]: Verified chain:
PKI[14]: pki_ossl_get_cert_summary, pki_ossl.c:118
PKI[6]: ---------Certificate--------:
        Serial Number:
            50:4b:ea:5f:0c:3f:62:09:6a:ca:d1:4e:a4:5c:a6:1b:2d:b4:8f:ad
        Issuer: O=Cisco, OU=ccf6dc4a-9fe9-4c20-85a6-46d2709e8435, CN=SCEPman-Root-CA-V1
        Subject: C=US, ST=MD, L=SF, O=CISCO, CN=jblack@domain.com/emailAddress=jblack@domain.com

PKI[14]: pki_ossl_get_cert_summary, pki_ossl.c:118
PKI[6]: ---------Certificate--------:
        Serial Number:
            0a:ec:66:37:ae:04:4a:c4:99:3f:c6:4b:42:ad:59:99
        Issuer: O=Cisco, OU=ccf6dc4a-9fe9-4c20-85a6-46d2709e8435, CN=SCEPman-Root-CA-V1
        Subject: O=Cisco, OU=ccf6dc4a-9fe9-4c20-85a6-46d2709e8435, CN=SCEPman-Root-CA-V1

PKI[13]: pki_ossl_policy_select, pki_ossl_policy.c:545
PKI[9]: Policy search for cert 0
PKI[13]: pki_policy_iterate, pki_ossl_policy.c:222
PKI[13]: get_policy_list, pki_ossl_policy.c:105
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:41
PKI[13]: pki_is_policy_match, pki_ossl_policy.c:348
PKI[9]: Evaluating policy scepman-trust for conn type 0x20
PKI[13]: finger_print_nonzero, pki_ossl_policy.c:72
PKI[9]: pki_is_policy_match: policy scepman-trust rejected. No matching fingerprint in chain

VPN and AnyConnect