I was also looking into this, and found that the documentation for that alternativeSecurityIds field is defined here. Granted that document also outlines the correct way to go about joining a machine, rather than simply creating the device object. I was able to successfully generate a test device object by setting alternativeSecurityIds based on the description in that document.
To quote the document:
The Alt-Security-Identities attribute ([MS-ADA1] section 2.61) is a multi-valued UNICODE_STRING attribute (see [MS-ADTS] section 3.1.1.2.2.2, the String(Unicode) syntax). The value is formatted as follows: "X509:<SHA1-TP-PUBKEY>[thumbprint]+[publickeyhash]" where [thumbprint] is the SHA1 hash of a certificate and [publickeyhash] is the base64-encoded SHA1 hash of the X.509 certificate public key [RFC5280].