OCSP Responders and Configuration Profiles

Session.ssl.cert.issuer is a variable that contains the CA used to authenticate the client cert. you can then look for some unique attribute within the DN by saying 'contains' followed by the attribute that makes that root CA unique such as the issuer name for example. Does that pretty much sum it up?

session.ssl.cert.issuer is the DN value of the immediate issuer of the subject of the client certificate, and is contained within the certificate itself. It doesn't really have as much to do with "authentication" as it does just "issuance" and chain of trust. In any case, this value is a DN, and each public issuing CA (Verisign, DigiCert, Entrust, GoDaddy, Thawte, etc.) should have a unique-enough DN string to be able to distinguish it from other issuers.

But I'd also point out that you're not going to see the "root" CA of any of these public CAs in any of the client certificates. As a matter of good security practice, public CAs issue subordinate CAs to do all of the heavy lifting, and in some cases there are multiple levels of subordinate CAs in a public CA's "chain". What you're going to see in the client's certificate is the issuer of that certificate, which may be one of several subordinate CAs of GoDaddy, for example). You're going to need to get samples of as many of these issuers as you can to help define your search patterns.