First, ensure "plainTextPasswords" is set to True before the first restart of the EM on a MOM. When starting, EM finds this value as True and encrypts a value of "bindPassword" and sets it to False. This is a required action as documented at the APM Wiki (a link is provided below in Additional Information section).
Try setting "groupMemberQuery" to
if it is not already, set "baseDN" to 'DC=' values of "bindName" property and vice versa.
For example if "bindName" is already defined as following:
"baseDN" should look like: