thank you for sharing that information Marcel. that is what airheads is about.
as for ocsp / crl i don't believe many systems will check crl urls themselves, that is something the client can do if it wants to. crls are often local anyway, so the clearpass might not be even able to reach it. ocsp is the way to go.