Anyone looked into, or even using, a HSM appliance for eDirectory & IDM's CA & certs?

Apparently we're getting the Thales appliance(s) to build a "PKI infrastructure with a single CA" and I've been asked about having all our "stuff" (NetIQ) using it...basically the org wants to snoop all encrypted traffic on the network.