here are some more informations about the problem.
The root CA certificate is imported as trusted in the system keychain of the server and the client. A certificate evaluation returns "valid certificates, trusted ...".
The client bind fails with this messages, e.g. Kerio Control is able the use LDAPS, so it seams just the problem with the trustability of the certificates. Keychain trusts the certificates, OD client bind not, this is not so consistent.
2013-03-14 19:39:02.776804 CET - Trigger - notified opendirectoryd:nodes;lastServerChanged;/LDAPv3/ldaps://macpro....:636
2013-03-14 19:39:02.793467 CET - 71825.330426.330427, Module: AppleODClientLDAP - unable to create connection to LDAP server - ldap_search_ext_s for the ro
otDSE failed with error 'server connection failed' (-1) error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed cert
ificate in certificate chain)
2013-03-14 19:39:02.793501 CE
verify error:num=19:self signed certificate in certificate chain