You may see a red toast when trying to add an MDS or CMA to FireMon regarding a "Certificate Retrieval Failed". This means that FireMon was unable to use SIC (Secure Internal Communication) to pull down the Opsec Certificate.
You will want to first ensure TCP 18210 is open.
curl -v telnet://x.x.x.x:18210
Verify OPSEC name and one-time password are valid. Then verify OPSEC application communication settings show "Initialized but trust not established". Seeing another trust state indicates that the OPSEC application is either not initialized, or may be "trusted" by another entity.