Certificate System 7.1 Agent Revocation Checking will not turn off

Diagnostic Steps

[07/Jan/2009:14:52:08 -0500] conn=1 op=24 SRCH base="cn=69,ou=certificateRepository, ou=ca, o=NetscapeCertificateServer" scope=0 filter="(objectClass=*)" attrs=ALL

and
[07/Jan/2009:14:52:08 -0500] conn=1 op=24 RESULT err=0 tag=101 nentries=1 etime=0
takes place in:
cms/classsrc/com/netscape/cmscore/authentication/SSLClientCertAuthentication.java
in
   public IAuthToken authenticate(IAuthCredentials authCred)
and for
   record = (ICertRecord) mCertDB.readCertificateRecord(serialNum);
it searches for the serial number of the certificate presented

once the attributes are retrieved, some processing is done for cert status verification, among other things, then there is another search to verify this certificate is somewhere in ou=People,o=NetscapeCertificateServer:

[07/Jan/2009:14:52:08 -0500] conn=2 op=8 SRCH base="ou=People,o=NetscapeCertificateServer" scope=2 filter="(description=2;69;CN=your cn)" attrs=ALL

to verify in which group it belongs to, on the CA's active configuration.
and:

[07/Jan/2009:14:52:08 -0500] conn=2 op=8 RESULT err=0 tag=101 nentries=1 etime=0

it is using
cms/classsrc/com/netscape/cmscore/usrgrp/ExactMatchCertUserLocator.java
and
public class ExactMatchCertUserLocator implements ICertUserLocator {

ou=People,o=NetscapeCertificateServer is to determine which groups the certificate belongs to, and what are its associated rights.