When getting an error back from one of the CLM policy modules that are loaded by the CA ("denied by policy module") it may be useful to enable CLM Policy module debug logging as well as CA server debug logging.

You can manually edit the registry settings using the details on Technet but it's a bit cumbersome as the 'CANAME' part will be different for each installation obviously.

To accomplish this in a more convenient way you can use the Certutil command with the -setreg CA option:

certutil -setreg ca\PolicyModules\CLM2.Policy Verbose

certutil -setreg ca\PolicyModules\CLM2.PolicyModule Verbose

certutil -setreg ca\PolicyModules\CLM2.PolicyModule.Dump Verbose

certutil -setreg ca\PolicyModules\CLM2.PolicyModulePlugins Verbose

certutil -setreg ca\ExitModules\CLME2.ExitModule Verbose

certutil.exe -f -setreg ca\debug 0xffffffff

Net Stop Certsvc && Net Start Certsvc

Note that some of the settings above are only relevant for FIM but will be ignored by ILM and CLM.

Troubleshooting CLM 2007:
http://technet.microsoft.com/en-us/library/cc720663(WS.10).aspx

FIM CM Logging and random errors
http://blogs.msdn.com/b/spatdsg/archive/2010/08/02/fim-cm-logging-and-random-errors.aspx

FIM CM and SQL APIs– The EXECUTE permission was denied on the object
http://blogs.msdn.com/b/spatdsg/archive/2010/11/02/fim-cm-and-sql-apis-the-execute-permission-was-denied-on-the-object.aspx