Testing Universal Smart Card Login Method on NW 6.5 SP 7. Use it with Aladdin eToken.

All work only with disabled Certificate Revocation Lists Validation in Login Method Properties.

With enabled CRL Checking login end with internal error 0x00008801.
DStrace.log show only error on:

37: MAF_GetAttribute LSM 0x00000017 AID: 30
37: CheckSubjectName: 1 alternate subject names
37: CheckSubjectName: subject name matched allowable subject name
37: CheckSubjectName: Found subject name match
37: DecodeCRLFlag: checkCrlFlag = 0x1
37: ERROR: -16049 MAF_GetAttribute LSM 0x00000017 AID: 18
37: getEnhancedOptions: Failed to read CRL Grace Interval -16049
37: ValidateCertificate: Failed to read Enhanced Options -16049
37: ValidateCertificate: failed -16049
37: VerifyUserSignature: verify signature successful 0
37: MethodBody: VerifyUserCertificate failed verification

CRL containers and object in tree exists and configured.

Any suggestions?
What and where is CRL Grace Interval? Documentation says that such option CRL Grace Period is in Enhanced Smart Card , but dont exist in Universal Smart Card Method.