Yes, that was it! Here is the final configuration for $config['imap_conn_options'] which worked for me:
$config['default_host'] = 'tls://mail.episcopalarchives.org';
$config['imap_conn_options'] = array(
'ssl' => array(
'verify_peer' => true,
'allow_self_signed' => true,
'peer_name' => 'mail.episcopalarchives.org',
'ciphers' => 'TLSv1+HIGH:!aNull:@STRENGTH',
'cafile' => '/etc/ssl/certs/ssl-cert-cyrus.episcopalarchives.org.pem',
),
);
The last problem I had was caused because I had set $config['username_domain'] earlier while trying to get it to work and then forgot to unsent it -- this is what was giving me the cross-realm authentication error in cyrus. You can have this option set, but then the cyrus configuration must include support for virtual domains; i.e. if these fields are set in /etc/cyrus/imapd.conf
defaultdomain: episcopalarchives.org
virtdomains: on
then you can still authenticate if $config['username_domain'] is set; otherwise you get a cross-realm authentication error.