The mainframe port ,1636 for example, needs to be configured as BOTH SSL and non-SSL so that the Prov Server can run startTLS. Make sure the port allows both SSL and non-SSL. This is a configuration on the mainframe that must be porformed ny the MF administrator.
Then test to see if startTLS is working by running ldapbind with -ZZ option. For syntax see:
Issues StartTLS (Transport Layer Security) extended operation. For -ZZ, if StartTLS does not finish successfully the utility exits when a failure occurs.
For example here is what was used for another site to test StartTLS,
ldapbind -h mainframe.TSS.com -p 1636 -D "cn=AIAMD,host=TSS-SSA,c=us" -w PWD -ZZ -d 65535 > result.txt 2>&1
Also, the original v1 type Top Secret Connector requires that the certificate be installed on the Provisioning Server machine (not the connector server)