When getting an error back from one of the CLM policy modules that are loaded by the CA ("denied by policy module") it may be useful to enable CLM Policy module debug logging as well as CA server debug logging.
You can manually edit the registry settings using the details on Technet but it's a bit cumbersome as the 'CANAME' part will be different for each installation obviously.
To accomplish this in a more convenient way you can use the Certutil command with the -setreg CA option:
certutil -setreg caPolicyModulesCLM2.Policy Verbose
certutil -setreg caPolicyModulesCLM2.PolicyModule Verbose
certutil -setreg caPolicyModulesCLM2.PolicyModule.Dump Verbose
certutil -setreg caPolicyModulesCLM2.PolicyModulePlugins Verbose
certutil -setreg caExitModulesCLME2.ExitModule Verbose
certutil.exe -f -setreg cadebug 0xffffffff
Net Stop Certsvc && Net Start Certsvc
Note that some of the settings above are only relevant for FIM but will be ignored by ILM and CLM.
Troubleshooting CLM 2007:
FIM CM Logging and random errors
FIM CM and SQL APIs– The EXECUTE permission was denied on the object