Tinkered around some more. This works:
LDAPTLS_CACERT=/etc/ipa/ca.crt ldapsearch -Y GSSAPI -H ldaps://idmipa03.mws.mds.xyz:636
-D "uid=admin,cn=users,cn=accounts,dc=mws,dc=mds,dc=xyz" -w
"<SECRET>" -b "cn=compat,dc=mws,dc=mds,dc=xyz"
"(uid=tom(a)mds.xyz)" -v|grep dn