We should document in our doc/FAQ that T2000 hardware acceleration of cyrpto used during SSL negotiation is very poor (worse than software). There are two steps to the workaround:
1) Add more request handlers to the LDAP(S) connection handlers (note that I include LDAP as well since it SSL negotiation will be performed for StartTLS as well)
2) Disable hardware acceleration for the directory server's JVM. Remove SunPKCS11 security provider from jre/lib/security/java.security.
This may also be an issue for SASL authentication as well.