One way of doing would be to write a signature that would detect ocsp requests going back to the relevant Certificate Authorities, these request go over port 80, so a signature looking for the keyword "application/ocsp-request" would go along way to meeting this request.
