The solution will vary depending on the cause of the problem:
1- Ensure the system clock on the endpoint, including time zone, is set correctly and not off by more than 10 minutes.
2- Run a "cacertutil list" on both endpoints, and check for organization differences in the output, for example:
CN=DSM Root,O=Computer Associates,C=US
CN=DSM Root,O=Forward Inc,C=US
In this example, one endpoint is using out of the box ITCM certificates, and the other is using "Forward Inc" generated custom certificates.
3- Upgrade CAPKI to the latest version
The version of CAPKI can be checked in the registry:
If an older version is found, you can locate the latest version from your ITCM install media:
<install media root>\WindowsProductFiles_x86\CAPKI\setup.exe
Run: setup install caller=CADSM
This will upgrade the CAPKI installation on the endpoint.