diff --git a/pkg/cvo/cvo.go b/pkg/cvo/cvo.go
index 4a8aee411..7e4c2dec2 100644
--- a/pkg/cvo/cvo.go
+++ b/pkg/cvo/cvo.go
@@ -65,7 +65,6 @@ import (
 	overridesrisk "github.com/openshift/cluster-version-operator/pkg/risk/overrides"
 	updatingrisk "github.com/openshift/cluster-version-operator/pkg/risk/updating"
 	upgradeablerisk "github.com/openshift/cluster-version-operator/pkg/risk/upgradeable"
-	cvotls "github.com/openshift/cluster-version-operator/pkg/tls"
 )
 
 const (
@@ -135,12 +134,9 @@ type Operator struct {
 	cmConfigManagedLister listerscorev1.ConfigMapNamespaceLister
 	proxyLister           configlistersv1.ProxyLister
 	featureGateLister     configlistersv1.FeatureGateLister
-	apiServerLister       configlistersv1.APIServerLister
 	cacheSynced           []cache.InformerSynced
 
-	apiServerInformer configinformersv1.APIServerInformer
-	tlsOverrides      *cvotls.Settings
-	profileMgr        *cvotls.ProfileManager
+	applyTLSSettings func(config *tls.Config)
 
 	// queue tracks applying updates to a cluster.
 	queue workqueue.TypedRateLimitingInterface[any]
@@ -240,8 +236,7 @@ func New(
 	proxyInformer configinformersv1.ProxyInformer,
 	operatorInformerFactory operatorexternalversions.SharedInformerFactory,
 	featureGateInformer configinformersv1.FeatureGateInformer,
-	apiServerInformer configinformersv1.APIServerInformer,
-	overrides *cvotls.Settings,
+	applyTLSSettings func(config *tls.Config),
 	client clientset.Interface,
 	kubeClient kubernetes.Interface,
 	operatorClient operatorclientset.Interface,
@@ -292,6 +287,8 @@ func New(
 		enabledManifestFeatureGates: startingEnabledManifestFeatureGates,
 
 		alwaysEnableCapabilities: alwaysEnableCapabilities,
+
+		applyTLSSettings: applyTLSSettings,
 	}
 
 	if _, err := cvInformer.Informer().AddEventHandler(optr.clusterVersionEventHandler()); err != nil {
@@ -319,13 +316,6 @@ func New(
 	optr.featureGateLister = featureGateInformer.Lister()
 	optr.cacheSynced = append(optr.cacheSynced, featureGateInformer.Informer().HasSynced)
 
-	optr.apiServerLister = apiServerInformer.Lister()
-	optr.cacheSynced = append(optr.cacheSynced, apiServerInformer.Informer().HasSynced)
-
-	// Store for deferred TLS profile manager initialization (after informer sync)
-	optr.apiServerInformer = apiServerInformer
-	optr.tlsOverrides = overrides
-
 	// make sure this is initialized after all the listers are initialized
 	riskSourceCallback := func() { optr.availableUpdatesQueue.Add(optr.queueKey()) }
 
@@ -382,17 +372,6 @@ func New(
 	return optr, nil
 }
 
-// InitializeProfileManager initializes the TLS profile manager.
-// Must be called after informers are started and synced.
-func (optr *Operator) InitializeProfileManager() error {
-	profileMgr, err := cvotls.NewProfileManager(optr.apiServerInformer, optr.tlsOverrides)
-	if err != nil {
-		return fmt.Errorf("failed to initialize TLS profile manager: %w", err)
-	}
-	optr.profileMgr = profileMgr
-	return nil
-}
-
 // LoadInitialPayload waits until a ClusterVersion object exists. It then retrieves the payload contents, verifies the
 // initial state and returns it. If the payload is invalid, an error is returned.
 func (optr *Operator) LoadInitialPayload(ctx context.Context, restConfig *rest.Config) (*payload.Update, error) {
@@ -1245,7 +1224,7 @@ func (optr *Operator) shouldEnableProposalController() bool {
 	return optr.requiredFeatureSet == configv1.TechPreviewNoUpgrade
 }
 
-// ApplySettings returns the ApplySettings function of the TLS profile manager
-func (optr *Operator) ApplySettings() func(config *tls.Config) {
-	return optr.profileMgr.ApplySettings
+// ApplyTLSSettings returns the function that applies TLS settings to the TLS config
+func (optr *Operator) ApplyTLSSettings() func(config *tls.Config) {
+	return optr.applyTLSSettings
 }
diff --git a/pkg/start/start.go b/pkg/start/start.go
index b1a6291e3..bee0115b1 100644
--- a/pkg/start/start.go
+++ b/pkg/start/start.go
@@ -207,6 +207,9 @@ func (o *Options) Run(ctx context.Context) error {
 	}
 
 	clusterVersionConfigInformerFactory, configInformerFactory := o.prepareConfigInformerFactories(cb)
+	// This is to ensure that APIServers get loaded when configInformerFactory is started and synced in o.processInitialFeatureGate().
+	// It is important when creating TLS profile manager later.
+	configInformerFactory.Config().V1().APIServers().Lister()
 	startingFeatureSet, startingCvoGates, startingEnabledManifestFeatureGates, err := o.processInitialFeatureGate(ctx, configInformerFactory)
 	if err != nil {
 		return fmt.Errorf("error processing feature gates: %w", err)
@@ -357,18 +360,6 @@ func (o *Options) run(ctx context.Context, controllerCtx *Context, lock resource
 		}
 	}
 
-	configSynced := controllerCtx.ConfigInformerFactory.WaitForCacheSync(informersDone)
-	for _, synced := range configSynced {
-		if !synced {
-			klog.Fatalf("Caches never synchronized: %v", postMainContext.Err())
-		}
-	}
-
-	// Initialize TLS profile manager after informers are synced
-	if err := controllerCtx.CVO.InitializeProfileManager(); err != nil {
-		klog.Fatalf("Failed to initialize TLS profile manager: %v", err)
-	}
-
 	resultChannelCount++
 	go func() {
 		defer utilruntime.HandleCrash()
@@ -386,7 +377,7 @@ func (o *Options) run(ctx context.Context, controllerCtx *Context, lock resource
 						resultChannelCount++
 						go func() {
 							defer utilruntime.HandleCrash()
-							err := cvo.RunMetrics(postMainContext, shutdownContext, restConfig, controllerCtx.CVO.ApplySettings(), o.MetricsOptions)
+							err := cvo.RunMetrics(postMainContext, shutdownContext, restConfig, controllerCtx.CVO.ApplyTLSSettings(), o.MetricsOptions)
 							resultChannel <- asyncResult{name: "metrics server", error: err}
 						}()
 					}
@@ -652,6 +643,11 @@ func (o *Options) NewControllerContext(
 	}
 	rtClient := cb.RuntimeControllerClientOrDie("runtime-controller-client")
 
+	tlsProfileMgr, err := tls.NewProfileManager(configInformerFactory.Config().V1().APIServers(), o.TLSOptions.GetOverrides())
+	if err != nil {
+		return nil, fmt.Errorf("failed to initialize TLS profile manager: %w", err)
+	}
+
 	cvo, err := cvo.New(
 		o.NodeName,
 		o.Namespace, o.Name,
@@ -665,8 +661,7 @@ func (o *Options) NewControllerContext(
 		configInformerFactory.Config().V1().Proxies(),
 		operatorInformerFactory,
 		configInformerFactory.Config().V1().FeatureGates(),
-		configInformerFactory.Config().V1().APIServers(),
-		o.TLSOptions.GetOverrides(),
+		tlsProfileMgr.ApplySettings,
 		cb.ClientOrDie(o.Namespace),
 		cvoKubeClient,
 		operatorClient,