There is a longer thread in this forum here which talks quite a bit about this subject:
Near the end, Jeremy Tammik summarized what you may be interested in the most:
-------------
We've documented the process of creating a self-signed cert that can be used for your own internal use:
http://help.autodesk.com/view/RVT/2017/ENU/?guid=GUID-B9A067F4-234F-47F8-A5EE-0D84A93FA98E
You can push the cert to machines in your domain using group policy:
https://technet.microsoft.com/en-us/library/dd807084(v=ws.11).aspx
-------------
My guess is that the cert may not be valid or the user doesn't have permission to add a cert, even to their own personal store. So Revit may be trying to add the cert when you click "Always Load" and that process is likely failing.
Pushing out your cert via group policy probably makes the most sense. The certmgr tool can at least show you what's going on before and after Always Load.
Is the problem with your own apps, or 3rd-party apps?