If you are a certificate authority, you can issue certificates for any domain. There is nothing in the technology preventing you from issuing a whitehouse.gov certificate merely because you are based in Iran, for example.
If you mean the certificates that the certificate authority issues, then the certificate authority signs them itself.
If you mean who signs the certificate authority's authority certificate, then either another certificate authority signs it, or the certificate authority signs it itself and pays the browser makers to include it as a root certificate in their browsers.
Etisalat (state-controlled telecoms company in UAE) is a certificate authority. They are not a root CA --- Verizon signed their CA certificate. They have used this capability to intercept SSL communications.
If a UAE state-controlled telecoms company can become a CA, why not an Iranian state-controlled telecoms company? Or Chinese?
Not when you are a certificate authority that is already trusted by the browsers.
Modern browsers today accept a large number of "self-signed" certificates. The key is that the signer paid the browser makers money for that privilege. SSL assumes that those companies are all trustworthy, but is any company trustworthy when the government shows up with guns and asks for the master password to your key signer?
If no, then SSL fails.
Let me summarize because you seem to be misunderstanding: a lot of untrustworthy parties are trusted by browsers. This makes SSL somewhat useful against having a coffee shop steal your Facebook password, but almost certainly useless against having a government steal your password.
