I had the same issue.
I was able to run cmsso-util unregister without errors, but I didn't get the full output I was supposed to.
I ran vdcleavefed but got the confidentiality error, or failed with an LDAP error in the logs.
I used this guy's advice to connect to my vsphere's LDAP.
http://www.electricmonk.org.uk/2017/03/07/using-jxplorer-to-connect-to-vsphere-psc-server/
When I went there, I saw that my PSC's each had a replication agreement with the defunct PSC, and not with each other.
I used vdcrepadmin -f createagreement to create a replication agreement between the two remaining PSC's.
It sorta looks like that's what was keeping the ghost of the old PSC around. After I fixed the replication agreement, I ran vdcleavefed and the old PSC went away.
- t2
