I would like to "pin" the certificate or at least the certificate authority for AnyConnect connections. Given the amount of SSL mitm'ing and compromised CA's, I want to ensure that only certificates signed by a certain CA are accepted as valid by the AnyConnect client when establishing connection to the VPN.
How to do it on ASA 5510?
I don't know anything about your Cisco gear, but generally speaking any SSL client will have copies installed of the public key for the CAs it trusts. I presume your Cisco kit is the same, but I can't help you with how to install a specific certificate it doesn't already have.
If your system relies on public CA infrastructure, then not much will help if the CA is compromised. At that point a MITM attacker can sign their own key and there is little you can do to distinguish whether that key has been legitimately signed or not. If the attacker has theCA key, there's no difference between them and one signed by the CA using the same key. The only thing you can do is to make sure you have a mechanism for tracking revocations that might be issued for the CA certs.
If you only want to accept certificates signed by a specific CA (limiting your exposure to other CAs being compromised ), then you could remove all the CA certs except the one you trust.
Many SSL communications with a known set of devices (and this is therefore likely for a VPN product) keep a registry with a fingerprint of each client's certificate, or sign the client certs with a key held by the server (ie the server is it's own CA). in these cases there is no need for an external CA, but there has to be a system for securely issuing or signing the certificates. That seems likely for your VPN product, but as I say, I don't know the Cisco gear. If you have an architecture of this sort though, the key point is that compromise of public CAs is unlikely to concern you.
If you have a system where yourVPN server is signing certificates itself, then having the client certs signed by your own CA is every bit as good as checking the client certs against some sort of registry, which is what your list of pinned certs would effectively be.