This is still an issue almost three years later.
1) I cannot forbid CAPsMan on all interfaces but local because it prevents own cap to connect
2) I cannot use layer 2 on own cap interface
3) The worst: this is not documented anywhere besides user forums (it should be on CAPsMan manual to prevent people be fighting hours with something that isn´t going to work)
4) I noticed that if I enable certificate request and CAPsMan is not configured, event disabling the certificate request on Cap has no effect, it still requests certificate to CAPsMan resulting in error. (this is a bug)