You can set AT-TLS policy to create a SSL pipe for the IP/Port that your remote LDAP is running on and then configure LDS to establish a plain ldap:// connection to the SSL port of the LDAP Server. When LDS goes to connect to LDAP, AT-TLS should establish the SSL connection (like a VPN tunnel) and then allow LDS to use ldap:// over the SSL channel. The setup is all in AT-TLS and LDS just runs over that tunnel.
The handshake role for the LDS LDAP connection should be set as a client. You can review the IBM Handshake Role doc for more info at: https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.2.0/com.ibm.zos.v2r2.halz002/attls_handshake_roles.htm
To avoid non-LDS LDAP client traffic matching the AT-TLS policy, you’ll probably want to specify the local IP address that LDS is using in the policy.