A known issue with PCS appliances running code prior to 8.3R1 can cause a mismatch in the "primary-responder" element of a Trusted Client certificate authority. To determined if this is the cause of your mismatch perform a comparison between the master appliance in a Pulse One group and one of the other group members flagged as being mismatched. If the discrepancy is for a Trusted Client CA and the output of the comparison resembles the output below an upgrade of the PCS appliances may resolve your issue.
<primary-responder>
<responder-url></responder-url>
<allowed-clock-discrepancy>5</allowed-clock-discrepancy>
<trust-responder-certificate>false</trust-responder-certificate>
<revocation-checking>false</revocation-checking>
<last-used-time xsi:nil="true"/>
