Hi. Okta does support Public key pinning for AD agents, LDAP, Browser plugin.
HTTP Public Key Pinning (HPKP) is a security mechanism which allows HTTPS websites to resist impersonation by attackers using mis-issued or otherwise fraudulent certificates. (For example, sometimes attackers can compromise certificate authorities, and then can mis-issue certificates for a web origin.) The HTTPS web server serves a list of public key hashes, and on subsequent connections clients expect that server to use 1 or more of those public keys in its certificate chain. The first time a user visit a *.okta.com site, you will be presented with a set of public key pins, one for the public key bound to the active end-entity certificate, i.e. the primary pin, and the 3 backup public key pins with a max-age expire property. The user's browser will cache the 4 pins for the duration of the max-age expire property. If a rogue site tries MITM a *.okta.com site and the user, the user's browser will show an error that the public key that was present in the rogue site does not match any of the 4 pins cached in the browser.
If you have further questions, feel free to open a Support case at www.support.okta.com