anyconnect-profile.xml

<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/">
  <ClientInitialization>
    <WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
    <WindowsVPNEstablishment>AllowRemoteUsers</WindowsVPNEstablishment>
    <LocalLanAccess>true</LocalLanAccess>
    <AutoUpdate>false</AutoUpdate>
    <CertificateMatch>
      <DistinguishedName>
        <DistinguishedNameDefinition Operator="Equal">
          <Name>CN</Name>
          <Pattern>subject common name</Pattern>
        </DistinguishedNameDefinition>
      </DistinguishedName>
    </CertificateMatch>
  </ClientInitialization>
  <ServerList>
    <HostEntry>
      <HostName>fqdn</HostName>
    </HostEntry>
  </ServerList>
</AnyConnectProfile>

Tested on Mac OS X El Capitan 10.11. Place this in /opt/cisco/anyconnect/profile with root being the owner. Install client certificate via Keychain Access.