CA Spectrum OneClick service (OC-server) configuration with secured LDAP (LDAPs) will be possible only by default Spectrum keystore configuration. This requires LDAPs related Certificate needs to be part of default $SPECROOT/custom/keystore/cacerts.
So even CA Spectum Oneclick service configruation for the Tomcat-webserver allows via ./tomcat/conf/server.xml - here parameter "keystore" - to specify the keystore location (and keystore filename and key-pass) - this is affecting the Tomcat-Connector (for https) - but this is not effective for the LDAPs connector.
LDAPs connector is using default only keystore file "cacerts".
This is valid for any OC-server platform OS/host.
So even using for OC-"https"-service specific keystore file, please add the required Certificate for the LDAPs connector to the default keystore $SPECROOT/custom/keystore/cacerts. At practical level the default keystore file only covers the LDAPs connector cert only then.
This functionality is addressed for post CA Spectrum R10.3 improvements.