diff --git a/manageiq-operator/api/v1alpha1/helpers/miq-components/cr.go b/manageiq-operator/api/v1alpha1/helpers/miq-components/cr.go
index e07e2359..b799447b 100644
--- a/manageiq-operator/api/v1alpha1/helpers/miq-components/cr.go
+++ b/manageiq-operator/api/v1alpha1/helpers/miq-components/cr.go
@@ -218,6 +218,14 @@ func memcachedSlabPageSize(cr *miqv1alpha1.ManageIQ) string {
 	}
 }
 
+func oidcOAuthIntrospectionSSLVerify(cr *miqv1alpha1.ManageIQ) bool {
+	if cr.Spec.OIDCOAuthIntrospectionSSLVerify == nil {
+		return true
+	} else {
+		return *cr.Spec.OIDCOAuthIntrospectionSSLVerify
+	}
+}
+
 func orchestratorImage(cr *miqv1alpha1.ManageIQ) string {
 	if cr.Spec.OrchestratorImage == "" {
 		return orchestratorImageNamespace(cr) + "/" + orchestratorImageName(cr) + ":" + orchestratorImageTag(cr)
@@ -351,6 +359,7 @@ func ManageCR(cr *miqv1alpha1.ManageIQ, c *client.Client) (*miqv1alpha1.ManageIQ
 		varEnableApplicationLocalLogin := enableApplicationLocalLogin(cr)
 		varEnableSSO := enableSSO(cr)
 		varEnforceWorkerResourceConstraints := enforceWorkerResourceConstraints(cr)
+		varOIDCOAuthIntrospectionSSLVerify := oidcOAuthIntrospectionSSLVerify(cr)
 
 		cr.Spec.AppName = appName(cr)
 		cr.Spec.BackupLabelName = backupLabelName(cr)
@@ -370,6 +379,7 @@ func ManageCR(cr *miqv1alpha1.ManageIQ, c *client.Client) (*miqv1alpha1.ManageIQ
 		cr.Spec.MemcachedMaxConnection = memcachedMaxConnection(cr)
 		cr.Spec.MemcachedMaxMemory = memcachedMaxMemory(cr)
 		cr.Spec.MemcachedSlabPageSize = memcachedSlabPageSize(cr)
+		cr.Spec.OIDCOAuthIntrospectionSSLVerify = &varOIDCOAuthIntrospectionSSLVerify
 		cr.Spec.OrchestratorImage = orchestratorImage(cr)
 		cr.Spec.OrchestratorInitialDelay = orchestratorInitialDelay(cr)
 		cr.Spec.PostgresqlImage = postgresqlImage(cr)
diff --git a/manageiq-operator/api/v1alpha1/helpers/miq-components/httpd.go b/manageiq-operator/api/v1alpha1/helpers/miq-components/httpd.go
index d9567d8c..dedddde3 100644
--- a/manageiq-operator/api/v1alpha1/helpers/miq-components/httpd.go
+++ b/manageiq-operator/api/v1alpha1/helpers/miq-components/httpd.go
@@ -150,7 +150,7 @@ func Ingress(cr *miqv1alpha1.ManageIQ, scheme *runtime.Scheme) (*networkingv1.In
 
 func HttpdConfigMap(cr *miqv1alpha1.ManageIQ, scheme *runtime.Scheme, client client.Client) (*corev1.ConfigMap, controllerutil.MutateFn, error) {
 	if cr.Spec.HttpdAuthenticationType == "openid-connect" && cr.Spec.OIDCProviderURL != "" && cr.Spec.OIDCOAuthIntrospectionURL == "" {
-		introspectionURL, err := fetchIntrospectionUrl(cr.Spec.OIDCProviderURL)
+		introspectionURL, err := fetchIntrospectionUrl(cr.Spec.OIDCProviderURL, *cr.Spec.OIDCOAuthIntrospectionSSLVerify)
 		if err != nil {
 			return nil, nil, err
 		}
@@ -659,9 +659,9 @@ func tlsSecretName(cr *miqv1alpha1.ManageIQ) string {
 	return secretName
 }
 
-func fetchIntrospectionUrl(providerUrl string) (string, error) {
+func fetchIntrospectionUrl(providerUrl string, sslVerify bool) (string, error) {
 	customTransport := http.DefaultTransport.(*http.Transport).Clone()
-	customTransport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
+	customTransport.TLSClientConfig = &tls.Config{InsecureSkipVerify: !sslVerify}
 	client := &http.Client{Transport: customTransport}
 	errMsg := fmt.Sprintf("failed to get the OIDCOAuthIntrospectionURL from %s", providerUrl)
 
diff --git a/manageiq-operator/api/v1alpha1/manageiq_types.go b/manageiq-operator/api/v1alpha1/manageiq_types.go
index c2c7e009..46baa136 100644
--- a/manageiq-operator/api/v1alpha1/manageiq_types.go
+++ b/manageiq-operator/api/v1alpha1/manageiq_types.go
@@ -235,6 +235,12 @@ type ManageIQSpec struct {
 	// +optional
 	OIDCOAuthIntrospectionURL string `json:"oidcAuthIntrospectionURL,omitempty"`
 
+	// Enable or disable SSL verification for OIDC authentication introspection
+	// Only used with the openid-connect authentication type.
+	// If not specified, defaults to true
+	// +optional
+	OIDCOAuthIntrospectionSSLVerify *bool `json:"oidcOAuthIntrospectionSSLVerify,omitempty"`
+
 	// URL for the OIDC provider
 	// Only used with the openid-connect authentication type
 	// +optional
diff --git a/manageiq-operator/api/v1alpha1/zz_generated.deepcopy.go b/manageiq-operator/api/v1alpha1/zz_generated.deepcopy.go
index eb64c0d8..51d91e03 100644
--- a/manageiq-operator/api/v1alpha1/zz_generated.deepcopy.go
+++ b/manageiq-operator/api/v1alpha1/zz_generated.deepcopy.go
@@ -135,6 +135,11 @@ func (in *ManageIQSpec) DeepCopyInto(out *ManageIQSpec) {
 		*out = make([]string, len(*in))
 		copy(*out, *in)
 	}
+	if in.OIDCOAuthIntrospectionSSLVerify != nil {
+		in, out := &in.OIDCOAuthIntrospectionSSLVerify, &out.OIDCOAuthIntrospectionSSLVerify
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ManageIQSpec.
diff --git a/manageiq-operator/config/crd/bases/manageiq.org_manageiqs.yaml b/manageiq-operator/config/crd/bases/manageiq.org_manageiqs.yaml
index 8d3f568a..451c72d6 100644
--- a/manageiq-operator/config/crd/bases/manageiq.org_manageiqs.yaml
+++ b/manageiq-operator/config/crd/bases/manageiq.org_manageiqs.yaml
@@ -228,6 +228,12 @@ spec:
                   Secret name containing the OIDC client id and secret
                   Only used with the openid-connect authentication type
                 type: string
+              oidcOAuthIntrospectionSSLVerify:
+                description: |-
+                  Enable or disable SSL verification for OIDC authentication introspection
+                  Only used with the openid-connect authentication type.
+                  If not specified, defaults to true
+                type: boolean
               oidcProviderURL:
                 description: |-
                   URL for the OIDC provider