One PO Agent with LDAP SSL authentication to another Tree

I have a SLES10 server with 4 PO and we are interested in pointing one PO to authenticate against another eDirectory tree (our IDVault). I know it's odd but we have a few users that should have an active account in the main eDirectory tree but they have approval to keep access to GroupWise. To resolve this we thought we'd put them on their own PO and point that PO to the IDV tree such that login is still done against the directory. We'd rather not use the password in GroupWise as the IDVault is linked to an HR system so their GW account would still expire based on that HR system's account expiry.

We always authenticate using LDAP with SSL. To test this idea in the lab I've created a new GW LDAP server entry that uses the root cert for the IDVault tree and of course points to its LDAP server.
I can authenticate using an LDAP client over SSL but the GroupWise agent never succeeds.

I always get these TLS errors:
13:00:56 7AFF7BA0 00000000 FFFFFFFF LDAP: TLS accept failure 5 on connection 0x1528c000, setting err = -5875. Error stack:
13:00:56 7AFF7BA0 00000000 FFFFFFFF LDAP: TLS handshake failed on connection 0x1528c000, err = -5875

Does anyone know if it's even possible to have one PO point to a different LDAP server for authentication?

I suspect that something in GW needs to trust this new LDAP server's trusted root CA but I can't find anything that will resolve.

Any suggestions?