For the CA to be able to use OCSP, read permission to the private key must be given.
Add Read permissions to Network Service on the private key
Open the Certificate Templates snap-in.
Select the OCSP Response Signing template.
Right-click it and click on properties.
Go to tab security. Click on add.
In the dialog, select from the list of object types computer.
Search for the CA/OCSP computer. Click OK.
Select the newly created entry with the computer name of the OCSP responder and select ALLOW for Read and Enroll permissions.
Finish the task by clicking on OK.