Ok so it seems the real problem here is that supl.nokia.com has 2 obsolete VeriSign certificates in its chain, one with
Subject: "CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US"
and one with
Subject: "OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US"

The current mozilla root CA store (and by extention the current maemo-security-certman git which I updated earlier) contains a newer certificate that matches
Subject: "CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US"
and will correctly validate the certificate
Subject: "CN=Symantec Class 3 Secure Server CA - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US"
which in turn will correctly validate the certificate
Subject: "CN=supl.nokia.com,O=HERE Global BV,L=Veldhoven,ST=Noord-Brabant,C=NL"

I have an idea how to fix this without security risk to other things (e.g. browser) involving the fact that location-proxy will read from a private certificate store named location-proxy. This will require a binary patch to location-proxy (to correct a bug in the code that accesses the private certificate store) and installing the necessary root certificate into the private certificate store via cmcli. Both should be fairly easy to do I suspect (we do binary patches for the cell broadcast SMS stuff, I see no reason we cant do the same for location-proxy)

The fix is working on my own N900 (I am running the modified location-proxy and with the relavent certificate installed, I cleared all the GPS caches, rebooted the phone to flush out anything in RAM and got a GPS fix in no time with a dozen or so satellites returning signal levels in location-test-gui)

With the current contents of maemo-security-certman Git plus the 2 byte change to location-proxy plus the extra certificate stored in the private certificate store, AGPS with supl.nokia.com will work and work great.

We just need to figure out how best to package up the fix