What is a good tool to test ASM security policies?

Yes, a vulnerability scan. Any vulnerability scan will work, but if you do with the ones ASM supports, you can then import the report in the ASM to a create a policy.

Have a look in this link: https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-getting-started-12-1-0/4.html

This is the Gartner quadrant for application security testing (should tell who is good or not): https://www.gartner.com/doc/reprints?id=1-2KU6P9E&ct=150807&st=sb

I also found this link, with a large list of scanners: http://projects.webappsec.org/w/page/13246988/Web%20Application%20Security%20Scanner%20List