I have to add this worked for me too.
I was trying to go from a production pair of 1500 LTMs running 10.2.4 to a pair of lab 1600s running the same version of code, upgrade the lab boxes to 11.5.1 HF10 and move the config via UCS file to a pair of 2000 LTMs.
Restoring the UCS for 11.5.1 HF10 on the primary 2000 LTM worked, but did not for the secondary. I got an error about a certificate not being present in the "trash-bin". F5 support tried to assist, but we did not make much headway.
I resorted to editing the secondary device's SCF file so it had only the network configuration. I then tried adding it to the trust group. This did not work until I set the standby/secondary LTM to offline. I tried all the steps above independently before seeing this suggestion. Without the secondary being offline the primary and secondary would "see" each other, but give me reachability errors when trying to sync. Ping between the devices was fine, and they were connected back to back, so I knew it wasn't a switch configuration issue.
The secondary was visible and "syncable" once it was forced offline before being added to the group. I now have a working HA pair.
Hope this helps someone. If you know why there's a requirement to force the device offline before adding it to the trust group then please let me know!
Nimbostratus
