OMII run a "temporary" Certification Authority (CA) on the server called security.omii.ac.uk.
During a default install of the OMII Client release (for example), the installation scripts negotiate with the OMII CA to obtain a temporary X.509 certificate. The private key associated with this certificate may be used to sign messages sent to OMII Integrated services. The certificate itself may be presented to OMII Integrated services, and these services may use it to decide whether the client is trusted.
A similar thing happens during installation of the OMII server-side WS container: a certificate is acquired that will be used to authenticate OMII Integrated services running on the target host. Clients may use this certificate to decide if they trust those services.
After default installs, trust between OMII client and OMII services relies on them both owning certificates signed by the same CA - by default: the OMII temporary CA.
There are several points to bear in mind here:
The default policy means that every default installation of an OMII client trusts every default installation of an OMII service, and vice versa. In the World at large, this is not a realistic approach to trust.
The OMII do not have a process (or plan to introduce any process) for verifying that a party asking for a certificate from the OMII temporary CA is really who they claim to be. Certificates are automatically issued to anybody who installs the software.
By design, certificates issued by security.omii.ac.uk have a short lifetime, and will expire after (presently) one month. They are only intended for you to use when "getting started".
When you come to use OMII "in anger", you will certainly want to obtain "real" certificates from a "real" CA.
The simplest policy in a real Grid is to have all certificates for trusted clients and servers signed by the same (real) CA. For example you could rely on the UK e-Science CA at https://ca.grid-support.ac.uk. This option will be discussed further in Acquiring a Certificate.
In the future, it will be possible to set up a grid where different client and service certificates are signed by different CAs but this has not been implemented at present.