A certificate resides inside the sdconf.rec file that is only used for TCP based agent connection.
If, at some point, the RSA Authentication Manager server name changed after its initial deployment, that certificate doesn't change (for backward compatibility) and at that point any new TCP agent when trying to connect it finds that the Authentication Manager server has a different name other than the one in the subject name in the current certificate, thus failing.
To fix this issue update the sdconf.rec certificate and then generate a new sdconf.rec file with the new certificate.
To get the certificate and update it
On the primary Authentication Manager server, open Internet Explorer and go to https://<primary hostname >:7002.
Port 7002 is used for communication between an Authentication Manager primary and replica instances and for communication between replica instances (for replay detection).
Click on the Certificate error.
Choose the top certificate and click View Certificate.
Click the Copy To File... button.
Click Next > again. Be sure to leave the DER encoding format.
Enter a name to save the DER-encoded root certificate.
Login to the Security Console and select Setup > System Settings.
Under the heading for Authentication Settings, click Agents.
On the top left of the page click the link where it says To configure agents using IPv6, click here.
Scroll down to the section on Existing Certificate Details.
Click the button next to Import Certificate of the New Primary Server that is labeled Choose File.
A common dialog box will open. Browse to the saved certificate, select it and click Open.
When done, click Update.
Generate a new configuration file (sdconf.rec) for the agent by selecting Access > Authentication Agents > Generate Configuration File > Generate Config File.
Replace the existing sdconf.rec on the agent with the newly generated sdconf.rec.
This solution would apply to any TCP-based agent that uses certificates for establishing secure connections.