Cisco ASA is not able to validate CRL signature from {SYMC.EN_US} Class 3 SSP Intermediate CA - G2 CA and following error message is recieved:

“CRYPTO_PKI: status = 1872: failed to verify CRL signature”.

The Cisco ASA device was not implementing a full-path trust validation on the personal certificate CRL.  This was determined not to be technically a problem, as the Cisco authentication algorithm apparently (by design) does not perform a full-path validation (i.e. the algorithm does not fully support the CRL validation specifications in RFC 5280).  

Initially, the ARL (Authority Revocation List) was set up as a trust point within the Cisco ASA configuration, with the assumption that the Cisco ASA device (and its authentication algorithm) would first validate the CRL specified in the end user certificate, then move up the validation chain to validate the ARL. This assumption was incorrect; although the Cisco authentication algorithm validated the CRL correctly, the authentication process stopped there (it did not move up the validation chain to validate the ARL), thus causing the error. 

The Cisco authentication algorithm apparently (by design) does not perform a full-path validation (i.e. the algorithm does not fully support the CRL validation specifications in RFC 5280).  

After the ARL trust point was removed, the issue was resolved.