The A2A client 'Connection Status' PAM shows as yellow inhibiting users from running scripts from the client server(s) in this state. Stopping and starting the client sometimes helps. 

During this time the following may be observed from the A2A client log (Credentials > Manage A2A > Clients > <select the client> > Get Logs):

WARNING: Fri May 18 10:17:41.515 EDT 2018 CSPMService::doPost. Failed to process event: UNKNOWN, exception: null 
[Fatal Error] :1:1: Content is not allowed in prolog. 
org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 1; Content is not allowed in prolog. 

Release: 4.1.X
Component: CAPAMX

First make sure that  28088 & 28888 ports are open. 

Try updating the key: 

Credentials > Manage A2A > Clients > <double click your client> > Change Key 

If that does not work, clear the client cache file: 

1) Stop the client: 

$CSPM_CLIENT_HOME/cspmclient/bin/cspmclientd stop 

2) Delete the following if it exists: 

$CSPM_CLIENT_HOME/cspmclient/config/data/.cspmclient.dat 

3) Deactivate A2A in the device: Devices > Manage Devices > <select your device> > Unselect 'Active' 
4) Start the client: cspmclientd start 
5) Activate A2A in the device 

Confirm DNSlookup.  Issue also seen where DNSlookup has a primary IP and 15 other IP addresses.  Once registered again the IP was changed to a secondary IP which redirected through DNS properly and allowed A2a to connect.  Connection Status green.

Change \A2a Auth mappings in PAM UI as needed.