Question: 

We currently have a secure connection to an AD USER DIRECTORY over 636.  Can we use a Start TLS connection to connect over 389, and if so, how would we configure that?

Answer: 

CA Single SIgn-On does not support STARTTLS natively at this time. However, if you have Windows server environment while using Active Directory, that means you should be able to use the SASL BIND functionality of Windows/AD to get a more secure connection over port 389. 

Please refer to the sources below for more about implementing SASL binding for increased connection security over unsecured ports:

Additional Information:

https://msdn.microsoft.com/en-us/library/cc223507.aspx 

https://blogs.technet.microsoft.com/askds/2009/09/21/understanding-ldap-security-processing/