The RFC for OCSP 6960 states in chapter 2.2 Response the following:

All definitive response messages SHALL be digitally signed. The 
key used to sign the response MUST belong to one of the following:

   - the CA who issued the certificate in question
   - a Trusted Responder whose public key is trusted by the requestor
   - a CA Designated Responder (Authorized Responder, defined in
     Section 4.2.2.2) who holds a specially marked certificate issued
     directly by the CA, indicating that the responder may issue OCSP
     responses for that CA

The second option lets the OCSP use any certificate to sign the responses but the client should know that certificate (public key) in advance. Current X509 implementation in keycloak does not provide a way of setting that responder certificate (only the other two options of the specification are used right now).

When the responder URI is explicitly specified in any OCSP configuration (not using distribution endpoints in the client certificate), setting a responder certificate is very common.