1. The IIS Server URL for ADConnect with IIS is not externally accessible.The IIS Server URL needs to be externally accessible (regardless of where the users are located), and route to your internal ADConnect with IIS Server. You can view/update your IIS Server URL by logging into https://admin.pingone.com, click setup and then click Identity Repository.
2. The certificate that is presented by IIS is not trusted by PingOne.The Certificate that is presented by IIS needs to be issued from a trusted 3rd party Certificate Authority. IIS also needs to present the full certificate chain right up to the Root Certificate Authority. Otherwise, PingOne will not establish an SSL connection with ADConnect with IIS.