I can't say why your particular trust domain is failing, however I use the following script with every build out. Works every time so far:
Initial config on each node:
modify sys global-settings { gui-setup disabled }
modify sys global-settings { hostname your.desired.hostname }
modify sys dns name-servers add { x.x.x.x y.y.y.y }
modify sys dns search add { localhost your.domain }
modify sys ntp { servers add { z.z.z.z w.w.w.w } timezone your/timezone }
Then apply your licensing. I use the tmsh method as I find it faster (also most of my devices don't have internet access):
get-dossier -b [ -a ]
Then go to activate.f5.com and cut and paste your dossier into the box, copy and paste your license into /config/bigip.license and then run: reloadlic
I generally config my LDAP and groups at this point, YMMV.
If you are not running a VCMP guest, I would do the following:
mv cm device bigip1 your.desired.hostname
Now create your Trunks, VLANs and SELF IPs. If you are running VCMP or VE, just the selfs. Below is just the HA interface (if you aren't using trunks, skip that one and just specify the interface rather than the trunk in the vlan):
create net trunk HA_TRUNK { interfaces add { 1.8 }}
create net vlan HA_VLAN { interfaces add { HA_TRUNK { } } }
create net self ha_failover { address 192.168.0.1/24 allow-service all traffic-group traffic-group-local-only vlan HA_VLAN }
Next specify your config sync IPs (variable IPs per device):
modify cm device your.desired.hostname unicast-address {{ ip 192.168.0.1}}
modify cm device your.desired.hostname { configsync-ip 192.168.0.1 }
Next create a trust relationship on one device only:
modify cm trust-domain /Common/Root ca-devices add { 192.168.0.2 } name your.other.device username admin password admin
Now (also on only one device) create a device group:
create cm device-group your-device-group { devices add { your.desired.hostname your.other.device } auto-sync enabled network-failover enabled type sync-failover }
Lastly I create however many traffic groups I need (generally one for an active/standby config):
create cm traffic-group my-traffic-group { ha-order { your.desired.hostname your.other.device } default-device your.desired.hostname }
At this point they should be paired and I move on to my pools, virtuals, policies, etc using only one device to configure.