The synchronization wizard for setting up a sync to AD fails when testing AD connectivity on port 636. The host on which the sync tools runs is not part of that domain but can access TCP port 636 on the Domain controller host (confirmed with a browser).
The issuer of the certificate (CN=XYZ) is not known to the client and can therefore not validate the certificate. D1IM 7 synchronization uses the ADSI API from Windows which accepts only error free certificates and does not offer functionality to accept untrustworthy certificates like Firefox does.
The certificate of the certificate authority must be installed on the client and it must be traceable to a root certificate authority. Furthermore, when working with certificates, you should work only with full qualified domain names, not IPs or short/computer names.