Based on the provided sources, the three correct statements describing Cisco ISE as a CA are:
Cisco ISE can issue endpoint certificates: ISE provides a lightweight PKI that can directly provision digital certificates to BYOD endpoints and other network devices.
Cisco ISE can perform OCSP checks: The ISE CA can function as an Online Certificate Status Protocol (OCSP) responder to determine and check the revocation status of certificates it has issued.
Cisco ISE can be configured as a subordinate CA of a corporate or external CA: ISE can work seamlessly with an existing enterprise PKI by acting as an intermediate or subordinate CA, allowing it to issue certificates signed by that external authority.
