After 4 years, i don't know if you already need an answer but at least for those like me that needs the answer, here's the answer of your problem:
When you use CRAM-MD5 for authentication, it's the "ticket" given by server that must be "crypted" with the password.
So your call of "hash_hmac" is incorrect...
Here's the good call :
$password=hash_hmac('MD5', $ticket, $password);
I tested it and it works for me...