When getting an error back from one of the CLM policy modules that are loaded by the CA ("denied by policy module") it may be useful to enable CLM Policy module debug logging as well as CA server debug logging.
You can manually edit the registry settings using the details on Technet but it's a bit cumbersome as the 'CANAME' part will be different for each installation obviously.
To accomplish this in a more convenient way you can use the Certutil command with the -setreg CA option:
certutil -setreg ca\PolicyModules\CLM2.Policy Verbose
certutil -setreg ca\PolicyModules\CLM2.PolicyModule Verbose
certutil -setreg ca\PolicyModules\CLM2.PolicyModule.Dump Verbose
certutil -setreg ca\PolicyModules\CLM2.PolicyModulePlugins Verbose
certutil -setreg ca\ExitModules\CLME2.ExitModule Verbose
certutil.exe -f -setreg ca\debug 0xffffffff
Net Stop Certsvc && Net Start Certsvc
Note that some of the settings above are only relevant for FIM but will be ignored by ILM and CLM.
Troubleshooting CLM 2007:http://technet.microsoft.com/en-us/library/cc720663(WS.10).aspx
FIM CM Logging and random errorshttp://blogs.msdn.com/b/spatdsg/archive/2010/08/02/fim-cm-logging-and-random-errors.aspx
FIM CM and SQL APIs– The EXECUTE permission was denied on the objecthttp://blogs.msdn.com/b/spatdsg/archive/2010/11/02/fim-cm-and-sql-apis-the-execute-permission-was-denied-on-the-object.aspx