Josh,
Sorted.
So basically what I've setup and tested is this.
On the PANW Under Device, Admin Roles, add a new role, say cppm-xml. Then click on the role to edit it, it gives you a pop-up windows with three tabs. Web UI, XML API & Command Line. Under Web UI I disabled everything, under XML API I disabled everything except 'User-ID agent'.
Then I created a new Administrator, say cppm-admin, provide a password but change the Role from Dynamic to 'Role Based', choose the Admin Profile previously created in the drop down, then obvioulsy use this new admin profile when configuring the context server on CPPM.
I've tested this with PAN-OS 6.01, the config under PAN-OS 5.x looks the same but I've NOT tested it.
Hope this help you out. I'll add this snippet to my next CPPM/PANW TechNote. :-)