Some of certification tests could cover IPv6 firewall. For example:
make HTTP server (preferably on non-default port -- if not can be harmful for production servers) reachable only from 2001:db8:1337:cafe::/64 (of course this is example netmask).
More complicated filters could be:
remote TCP port,
or even ip6tables-specific like
break connection after sending 16384 bytes (could be cheated with httpd, however)