Walter Chomak wrote a good article to help people avoid a gotchya when monitoring un-trusted servers over the Internet using Operations Manager 2007 and the Gateway. This applies equally when using OpsMgr and agents with certificates. You need to be sure that the cert is for the actual FQDN of the server and that OpsMgr addresses the agent by the FQDN of the agent server. Set up name resolution using DNS or hosts files.
Credit: Walter Chomak.