I think there's a misunderstanding about the encryption requirement.
The IAB guidance was for OPES-processor-to-OPES-processor. There's no
such onus on OCP.
I know a little about security protocols, and I don't see how OCP
defines a secure way to interface to transport security features.
I strongly advise ditching it rather than trying to repair it.
Hilarie