Here are excerpts that I have taken from the "Application Password Virtual Cache" chapter of the 2.5 TPAM Admin Guide.
"Applications requesting passwords from the Password Virtual Cache must provide a client certificate in order to be authenticated by the Cache. The client, or user certificate can be created by TPAM or supplied by the customer. Each certificate is associated with a user type of Cache User in TPAM."
"Additionally, when using a user-supplied certificate, a trusted root certificate that can establish trust in the user certificate must be uploaded to TPAM and assigned to the Cache(s) from which the user will request passwords. This is needed so that applications requesting passwords using this user-supplied certificate can be authenticated by the Cache."
The Root Certificate is required on the Cache Server basically for the purpose of validating the certificates that the user's are presenting. This is all that should be required in terms of certificates.