You'll need to use the camera icon to get the picture loaded to the forums; I don't see anything shown.
To get the certificate accepted by the client, you can choose to enable trust for the certificate when each client first connects (that trust setting is available in the SSL/TLS connection pop-ups), or you can establish your own certificate chain and load the root public key into each client (via provisioning or various other means) or you can purchase a certificate that already has the root public certificate in the keychains of your various devices.
The first — trusting the cert — is the easiest. On a local network with local servers, granting that trust is not usually an issue. With remote servers, you might not be connected to the server you think you're connected to, so this can be subverted.
Setting up a certificate authority (CA) is entirely feasible, but takes a little rummaging in the certificate tools, and you're then responsible for maintaining the root certificate private keys and any intermediate certificate private keys securely. You do need a trusted way to get the root certificate public key onto each client, as that root cert is a form of a "master key" for secured network connections.)
Buying the cert is cheap and easy, though you're outsourcing your security to the root certificate authority. You're already outsourcing a whole lot of that to the root certificate authorities, so... There's no encryption-level difference between a private certificate chain and a public (purchased0 certificate chain.
As for Open Directory and SSL, if Open Directory is doing something wonky, I'd first check the certificate involved to ensure it's still valid and correct, and I'd then check DNS. (DNS services and digital certificates are two sides of the same coin. SSL/TLS and certificates require correct and functional DNS.) To verify the OS X Server DNS settings, launch Terminal.app from Applications > Utilities folder and issue the non-destructive, no-changes-made, diagnostic command:
sudo changeip -checkhostname
which will display some information and then an indication that DNS is correct and valid and no changes are needed, or some information on the problem(s) it may have detected.