The documentation for this is yet to be published. Since I configured this recently and it's fresh in my mind I thought I'd commit to blog for posterity. Let me know if you found it useful and specifically if you did use the steps and found they need "tweaking".
In a situation where you are not able to use mutual authentication and also need to collect security events from agents, you can configure ACS forwarders in an untrusted domain to communicate with the collector running on a management server using certificates. Communication between forwarders and a collectors where kerberos mutual autentication is not available is only possible using certificates. If you have implimented a Gateway server, the communication channel used for agent communication and ACS Forward communication is different. ACS forwarder communication will not pass via the gateway server which could be an expectation. If you're using a Gateway Server you can of course install the ACS Collector role on the Gateway, if required. The ACS Collector database role could also reside here, or be located elseware with the option of using SQL Auth if required rather than Integrated security, again if there is no trust and the default SQL port is open on any firewalls. ACS Forwarders would then communicate with the Collector on the Gateway server without the need for certificates.
When a gateway server isn't used, or the Collector role cannot be installed on the Gateway. Each Forwarder can communicate to a Collector in an untrusted domain via certificates (a requirement).
Here's how to do it:
The steps below assume certificate based communication between agent and management server is already configured and is working correctly (See the links at the end of this posting if you need more on configuring certificates for agent communication).
The ACS Collector has to be installed on a Management Server role and has to be a member of an active directory forest. It is assumed here that the Management Server is configured to use certificates already for communcation to the agents in the untrusted domain. The same certificate used for Management Server authenication can be used for ACS Collector authenication (this fortunately reduces the amount of certificate maintenance you may have to perform). Recall, the intended purpose of the certificate is Server Authentication and Client Authentication and the Subject name must contain the FQDN of the server to which it is issued.
Assumption is that each of the agents already has a certificate and is communicating normally to the management server.
These steps assume the ACS Forwarder hasn't yet been enabled.
Once the ACS Forwarder starts it should now use certificate based auth to the Collector.
See the Operations Manager 2007 Security Guide for discussion on obtaining and using certificate based authentication using an Enterprise or Standalong CA http://www.microsoft.com/technet/opsmgr/2007/library/proddocs.mspx
How to import a certificate using MOMCertImport using a .PFX file (http://technet.microsoft.com/en-us/library/bb309600.aspx)
Or simpler still
How to import a certicate using MOMCertImport from the certificate store itself (MOMCertImport /SubjectName <thesubjectnameofthecert=FQDN> . E.g. MOMCertImport /SubjectName dc1.contoso.com >
Clive Eastwood has an excellent article how to setup Audit Collector Service using certificate based