Hi,
we gathered some experience using scep and dogtag. To be a little more precise we are issuing certs to cisco routers by the thousands (the whole sales force needs these...)
The current implementation works, but leaves still some space for improvement :-)
Your client initially needs a password that must be known to the ca in the flatfileauth-file used for your scep profile. The CA has a simple (more example) application to request such a password, we tied it to our order system to further authenticate those requests.
When your CA certificate (or the certificate you are using for scep) sits in a HSM, you'll need quite an extension for the existing code, as the current code will not be able to decrypt the requests (in this case due to ciscos error - but we have to serve our clients...)
The cisco client still complains on some operations not being implemented, but works after those modifications
Yours,
Alexander