Use Kerberos Authentication for users and Configure KDC. If you're already using Kerberos to allow AIX hosts to authenticate users against AD, then you can import the same krb5.keytab into the HMC. You can also use the same server and realm names as per the krb5.conf.
Although it is convenient, it's probably not best practise to use the same Kerberos key for multiple hosts to talk to AD. I haven't researched that yet.
Use NTP to make sure that the HMC clock is set correctly. I'm not sure how feasible it is to use Kerberos authentication without an NTP updated clock.
When creating the profiles on the HMC, you may need to to set the Remote user ID as "firstname.lastname@example.org" (e.g. email@example.com). You should also make sure that in the "User properties" section, the "Allow remote access via the web" option is ticked.
My tested combination of technology is HMC V7 R7.7.0 SP2 and Active Directory running on Windows Server 2003.
Hopefully, I'll add more explicit instructions later.