As far as GSKit is concerned, there is no (documented?) way to pre-select which specific, individual ciphers are used for communications, but you can disable the old version of TLS with GSK_PROTOCOL_TLSV1=0. I suspect this needs to be exported as an environment variable before you start the CMOD arssockd daemon.
Since 3DES-CBC-SHA1 is not a public key algorithm, your security folks are more likely concerned with protecting communications, and are probably confused about how the certificate factors into this.
The parameter you've set in the CMOD ars.ini file simply prevents insecure certificates from being used, it doesn't factor into the selection of ciphers - See:
https://cmod.wiki/index.php?title=ars.ini#Unlisted_CMOD_Configuration_ParametersYour best bet is to open a new ticket, asking how to configure the ciphers that GSKit presents to clients, or for other recommended flags to set as environment variables to modify GSKit's behaviour.
-JD.