I fought with this recently and didn’t find any info about it out in the ether anywhere so just thought I’d share in case someone else runs across it. Assume you have SharePoint installed in a classic resource forest scenario. So the SharePoint farm is in what we’ll call “Resources” forest; it has a one-way outgoing trust with the “Users” forest, where all of the user accounts live. That means that Resources trusts the accounts from Users, but Users does not trust the accounts from Resources. So what happens if you want to add accounts from the Users forest into a Secure Store Service target application? Well you just need to do the same kind of people picker customization that you would be doing for your content web applications, only you need to do it for the central admin web application in this case.
For example, in order to select and resolve accounts from the Users forest in your end user web applications you would run the command stsadm -o setproperty -propertyname peoplepicker-searchadforests -propertyvalue blah-blah-blah -url http://yourWebApp. So to enable this scenario, you just run the same exact command, only the -url parameter should be http://urlToCentralAdmin. After you make that change you should be good to go.