Ok, I have read a few posts on internet about how to configure Remote Access using 515E, VPN Client 4.6 and Windows 2003 as a CA.
I am having a lot of problems, and has been kicking my butt for the past week.I was able to get it to work using Pre shared keys.
Another weird problem is that when I do the commands to get a certificate from the CA, I lose the ability to open up PDM via a web browser. I have a telnet session running at the same time doing a debug of Crypto stuff, and it returns:

CRYPTO_CA: certificate not found

Now if I go in and clear out all the CA information, the PIX will build its own certificate and I can access the PIX via PDM, but I have no certificates installed. For my PIX Config is the following

pix(config)# ca generate rsa key 1024 // this one works and returns what I see is correct info.

pix(config)# ca identity myca 10.10.x.x:/certsrv/mscep/mscep.dll //this one also seems to work properly when executed, no errors.

pix(config)# ca configure myca ra 1 5 crloptional //again, also seems to work

pix(config)# ca authenticate myca //well this one executes, but from what I read I should be getting information returned to me (fingerprint), but I get nothing, just goes back to prompt.

At this point I can issue the "show ca certificate" command and it returns CA Certificate

Status: Available
Certificate Serial Number: 09a085d2a8d6dea74cde3a94313c3d57
Key Usage: Signature
CN = fserver3
OID.0.9.2342.19200300.100.1.25 =<16> webd2ms2
OID.0.9.2342.19200300.100.1.25 =<16> com
Validity Date:
start date: 14:30:47 EST Oct 29 2008
end date: 14:39:31 EST Oct 29 2018

RA Signature Certificate
Status: Available
Certificate Serial Number: 300f4c78000000000002
Key Usage: Signature
EA =<16>
CN = Administrator
OU = VPNCERT
O = D2MS
L = Chesapeake
ST = Virginia
C = US
Validity Date:
start date: 14:37:35 EST Oct 29 2008
RA KeyEncipher Certificate
Status: Available
Certificate Serial Number: 300f4def000000000003
Key Usage: Encryption
EA =<16>
CN = Administrator
OU = VPNCERT
O = D2MS
L = Chesapeake
ST = Virginia
C = US
Validity Date:
start date: 14:37:35 EST Oct 29 2008
end date: 15:37:35 EDT Oct 29 2010

So it would seem I have a Certificate......not sure what to make of it, but ok. Then I go and do the enrollment command pix(config)# ca enroll my ca "challenge Password obtained from CA" Now from that command, I appear to receive correct information.....
looking at a document on Cisco's website seems to confirm it.Now for the CA Server...I have installed Certificate Authority as well as the SCEP add-on. Looking at issued Certificates, it seems that a certificate does get issued to the PIX, and the request came from the pix.....so communication there seems fine.On my PC using VPN Client I have done two things.

1) I have used the built-in Enrollment option and using the //website/certsrv/mscep/mscep.dll along with his password.
That certificate also gets issued, I can look and see it there. It is issued the IPSec (Offline Certificate)

2) I have also installed a certificate manually by going to my CA and requesting an IPSec (Offline Certificate), receiving it and installing it on my PC.

So then both certs show up in the VPN Client Certificates list.
I have made sure to use the "VPN Group Name" as the Department.So now for my Certificate Connection I can set it up to use either. If I use the one rec'd by Cisco's enrollment, it asks for a Password, so I go to my CA website and put one in and then send it on. Does not connect. If I use the one that I requested from the website, it does not ask for a Password.....but it still does not connect. I look at the log window, but nothing shows up...

I have seen at times
-- Invalid PKI
-- Malformed Payload

Also looking at the debug info on the PIX, I see similar things.
-- retransmitting phase 1
-- malformed payload.