diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/kube-controller-manager/zz_fixture_TestControlPlaneComponents.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/kube-controller-manager/zz_fixture_TestControlPlaneComponents.yaml
index 4d11fa69b0..329c5a9a71 100644
--- a/control-plane-operator/controllers/hostedcontrolplane/testdata/kube-controller-manager/zz_fixture_TestControlPlaneComponents.yaml
+++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/kube-controller-manager/zz_fixture_TestControlPlaneComponents.yaml
@@ -108,9 +108,9 @@ spec:
         - --cluster-signing-duration=17520h
         - --tls-cert-file=/etc/kubernetes/certs/server/tls.crt
         - --tls-private-key-file=/etc/kubernetes/certs/server/tls.key
-        - --node-monitor-grace-period=50s
         - --cluster-cidr=10.132.0.0/14
         - --service-cluster-ip-range=
+        - --node-monitor-grace-period=50s
         - --tls-min-version=VersionTLS12
         - --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
         - --feature-gates=OpenShiftPodSecurityAdmission=true
diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/kube-controller-manager/zz_fixture_TestControlPlaneComponents_TechPreviewNoUpgrade.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/kube-controller-manager/zz_fixture_TestControlPlaneComponents_TechPreviewNoUpgrade.yaml
index 31df76b6f4..818cdfbfb6 100644
--- a/control-plane-operator/controllers/hostedcontrolplane/testdata/kube-controller-manager/zz_fixture_TestControlPlaneComponents_TechPreviewNoUpgrade.yaml
+++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/kube-controller-manager/zz_fixture_TestControlPlaneComponents_TechPreviewNoUpgrade.yaml
@@ -108,9 +108,9 @@ spec:
         - --cluster-signing-duration=17520h
         - --tls-cert-file=/etc/kubernetes/certs/server/tls.crt
         - --tls-private-key-file=/etc/kubernetes/certs/server/tls.key
-        - --node-monitor-grace-period=50s
         - --cluster-cidr=10.132.0.0/14
         - --service-cluster-ip-range=
+        - --node-monitor-grace-period=50s
         - --tls-min-version=VersionTLS12
         - --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
         - --feature-gates=OpenShiftPodSecurityAdmission=true
diff --git a/control-plane-operator/controllers/hostedcontrolplane/v2/assets/kube-controller-manager/deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/v2/assets/kube-controller-manager/deployment.yaml
index a4f71cc79e..46403f05df 100644
--- a/control-plane-operator/controllers/hostedcontrolplane/v2/assets/kube-controller-manager/deployment.yaml
+++ b/control-plane-operator/controllers/hostedcontrolplane/v2/assets/kube-controller-manager/deployment.yaml
@@ -3,7 +3,6 @@ kind: Deployment
 metadata:
   name: kube-controller-manager
 spec:
-  replicas: 1
   revisionHistoryLimit: 2
   selector:
     matchLabels:
@@ -49,7 +48,6 @@ spec:
         - --cluster-signing-duration=17520h
         - --tls-cert-file=/etc/kubernetes/certs/server/tls.crt
         - --tls-private-key-file=/etc/kubernetes/certs/server/tls.key
-        - --node-monitor-grace-period=50s
         command:
         - hyperkube
         - kube-controller-manager
diff --git a/control-plane-operator/controllers/hostedcontrolplane/v2/kcm/deployment.go b/control-plane-operator/controllers/hostedcontrolplane/v2/kcm/deployment.go
index c31604a139..ac5d0daf0e 100644
--- a/control-plane-operator/controllers/hostedcontrolplane/v2/kcm/deployment.go
+++ b/control-plane-operator/controllers/hostedcontrolplane/v2/kcm/deployment.go
@@ -14,7 +14,6 @@ import (
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
-	"k8s.io/utils/ptr"
 
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
@@ -35,6 +34,13 @@ func adaptDeployment(cpContext component.WorkloadContext, deployment *appsv1.Dep
 		if hcp.Spec.Platform.Type == hyperv1.AzurePlatform {
 			c.Args = append(c.Args, fmt.Sprintf("--cloud-provider=%s", "external"))
 		}
+
+		if hcp.Spec.Platform.Type == hyperv1.IBMCloudPlatform {
+			c.Args = append(c.Args, "--node-monitor-grace-period=55s")
+		} else {
+			c.Args = append(c.Args, "--node-monitor-grace-period=50s")
+		}
+
 		if tlsMinVersion := config.MinTLSVersion(hcp.Spec.Configuration.GetTLSSecurityProfile()); tlsMinVersion != "" {
 			c.Args = append(c.Args, fmt.Sprintf("--tls-min-version=%s", tlsMinVersion))
 		}
@@ -44,6 +50,7 @@ func adaptDeployment(cpContext component.WorkloadContext, deployment *appsv1.Dep
 		if util.StringListContains(hcp.Annotations[hyperv1.DisableProfilingAnnotation], ComponentName) {
 			c.Args = append(c.Args, "--profiling=false")
 		}
+
 		for _, f := range config.FeatureGates(hcp.Spec.Configuration.GetFeatureGateSelection()) {
 			c.Args = append(c.Args, fmt.Sprintf("--feature-gates=%s", f))
 		}
@@ -69,11 +76,6 @@ func adaptDeployment(cpContext component.WorkloadContext, deployment *appsv1.Dep
 		}
 	})
 
-	deployment.Spec.Replicas = ptr.To[int32](2)
-	if hcp.Spec.ControllerAvailabilityPolicy == hyperv1.SingleReplica {
-		deployment.Spec.Replicas = ptr.To[int32](1)
-	}
-
 	return nil
 }
 
diff --git a/control-plane-operator/controllers/hostedcontrolplane/v2/oauth/idp_convert.go b/control-plane-operator/controllers/hostedcontrolplane/v2/oauth/idp_convert.go
index 0ae63c9ec5..8f6090c72f 100644
--- a/control-plane-operator/controllers/hostedcontrolplane/v2/oauth/idp_convert.go
+++ b/control-plane-operator/controllers/hostedcontrolplane/v2/oauth/idp_convert.go
@@ -689,7 +689,10 @@ func transportForCARef(ctx context.Context, kclient crclient.Reader, namespace,
 	transport := net.SetTransportDefaults(&http.Transport{
 		TLSClientConfig: &tls.Config{},
 	})
-	roots := x509.NewCertPool()
+	roots, err := x509.SystemCertPool()
+	if err != nil {
+		return nil, fmt.Errorf("failed to create system cert pool: %w", err)
+	}
 
 	if !skipKonnectivityDialer {
 		var err error
diff --git a/control-plane-operator/controllers/hostedcontrolplane/v2/oauth/idp_convert_test.go b/control-plane-operator/controllers/hostedcontrolplane/v2/oauth/idp_convert_test.go
index ca7c19e3fe..4d57d8c1ca 100644
--- a/control-plane-operator/controllers/hostedcontrolplane/v2/oauth/idp_convert_test.go
+++ b/control-plane-operator/controllers/hostedcontrolplane/v2/oauth/idp_convert_test.go
@@ -380,7 +380,8 @@ users:
 			g.Expect(gotURL).To(Equal(tc.expectedProxyRequestURL))
 
 			// Validate RootCAs expectations.
-			expectedCertPool := x509.NewCertPool()
+			expectedCertPool, err := x509.SystemCertPool()
+			g.Expect(err).ToNot(HaveOccurred())
 			if tc.hcp.Spec.Configuration != nil {
 				if tc.hcp.Spec.Configuration.Proxy.TrustedCA.Name != "" {
 					expectedCertPool.AppendCertsFromPEM([]byte(fakeProxyCertCADecoded))