You should consider using Dynamic Access Policies with CSD. You can use this to check for a registry setting, file, certificate, AV, FW, AS etc before allowing the computer to connect. The DAP check is done at the same time you enter your username and password. You can read more about DAP and how to deploy it here:
http://www.cisco.com/en/US/products/ps6120/products_white_paper09186a00809fcf38.shtml
DAP only has limited functionality with the traditional IPSec client, but has full functionality with the AnyConnect SSL vpn. The ASA comes with a default of 2 free licenses for testing. If you need additional licenses, you can purchase them by emailing licensing@cisco.com or contacting your account team or reseller. The licenses come in two forms (essential and full) -- you would need the full license to be able to do DAP as it is not supported with the essentials license.