diff --git a/doc/requirements.txt b/doc/requirements.txt
index 30379d5b..4c843778 100644
--- a/doc/requirements.txt
+++ b/doc/requirements.txt
@@ -19,5 +19,5 @@ oslo.messaging>=5.29.0 # Apache-2.0
 pycadf>=1.1.0 # Apache-2.0
 PyJWT>=2.4.0 # MIT
 keystoneauth1>=3.12.0 # Apache-2.0
-oslo.cache>=1.26.0 # Apache-2.0
+oslo.cache>=3.11.0 # Apache-2.0
 python-keystoneclient>=3.20.0 # Apache-2.0
diff --git a/keystonemiddleware/auth_token/__init__.py b/keystonemiddleware/auth_token/__init__.py
index 9b8fb575..810a80bc 100644
--- a/keystonemiddleware/auth_token/__init__.py
+++ b/keystonemiddleware/auth_token/__init__.py
@@ -219,6 +219,7 @@ object is stored.
 
 import copy
 import re
+import ssl
 
 from keystoneauth1 import access
 from keystoneauth1 import adapter
@@ -875,8 +876,26 @@ class AuthProtocol(BaseAuthProtocol):
             sasl_enabled=self._conf.get('memcache_sasl_enabled'),
             username=self._conf.get('memcache_username'),
             password=self._conf.get('memcache_password'),
+            tls_enabled=self._conf.get('memcache_tls_enabled'),
         )
 
+        if self._conf.get('memcache_tls_enabled'):
+            tls_cafile = self._conf.get('memcache_tls_cafile')
+            tls_certfile = self._conf.get('memcache_tls_certfile')
+            tls_keyfile = self._conf.get('memcache_tls_keyfile')
+            tls_allowed_ciphers = self._conf.get(
+                'memcache_tls_allowed_ciphers')
+
+            tls_context = ssl.create_default_context(cafile=tls_cafile)
+
+            if tls_certfile:
+                tls_context.load_cert_chain(tls_certfile, tls_keyfile)
+
+            if tls_allowed_ciphers:
+                tls_context.set_ciphers(tls_allowed_ciphers)
+
+            cache_kwargs['tls_context'] = tls_context
+
         if security_strategy.lower() != 'none':
             secret_key = self._conf.get('memcache_secret_key')
             return _cache.SecureTokenCache(self.log,
diff --git a/keystonemiddleware/auth_token/_cache.py b/keystonemiddleware/auth_token/_cache.py
index 3a7e0c30..b262a7ca 100644
--- a/keystonemiddleware/auth_token/_cache.py
+++ b/keystonemiddleware/auth_token/_cache.py
@@ -100,7 +100,8 @@ class _MemcacheClientPool(object):
         # python-binary-memcached , we don't want it as hard
         # dependency, so lazy load it.
         self._sasl_enabled = arguments.pop("sasl_enabled", False)
-        if self._sasl_enabled:
+        self._tls_enabled = arguments.pop("tls_enabled", False)
+        if self._tls_enabled or self._sasl_enabled:
             from oslo_cache import _bmemcache_pool
             self._pool = _bmemcache_pool.BMemcacheClientPool(memcache_servers,
                                                              arguments,
@@ -140,20 +141,23 @@ class TokenCache(object):
     _CACHE_KEY_TEMPLATE = 'tokens/%s'
 
     def __init__(self, log, cache_time=None,
-                 env_cache_name=None, memcached_servers=None,
+                 env_cache_name=None, memcached_servers=None, tls_context=None,
                  use_advanced_pool=True, dead_retry=None, socket_timeout=None,
                  **kwargs):
         self._LOG = log
         self._cache_time = cache_time
         self._env_cache_name = env_cache_name
         self._memcached_servers = memcached_servers
+        self._tls_context = tls_context
         self._use_advanced_pool = use_advanced_pool
         self._arguments = {
             'dead_retry': dead_retry,
             'socket_timeout': socket_timeout,
             'sasl_enabled': kwargs.pop("sasl_enabled", False),
             'username': kwargs.pop("username", None),
-            'password': kwargs.pop("password", None)
+            'password': kwargs.pop("password", None),
+            'tls_enabled': kwargs.pop("tls_enabled", False),
+            'tls_context': tls_context
         }
         self._memcache_pool_options = kwargs
 
diff --git a/keystonemiddleware/auth_token/_opts.py b/keystonemiddleware/auth_token/_opts.py
index 70e233a0..b2621faf 100644
--- a/keystonemiddleware/auth_token/_opts.py
+++ b/keystonemiddleware/auth_token/_opts.py
@@ -124,6 +124,32 @@ _OPTS = [
                secret=True,
                help='(Optional, mandatory if memcache_security_strategy is'
                ' defined) This string is used for key derivation.'),
+    cfg.BoolOpt('memcache_tls_enabled',
+                default=False,
+                help='(Optional) Global toggle for TLS usage when comunicating'
+                ' with the caching servers.'),
+    cfg.StrOpt('memcache_tls_cafile',
+               help='(Optional) Path to a file of concatenated CA certificates'
+               ' in PEM format necessary to establish the caching server\'s'
+               ' authenticity. If tls_enabled is False, this option is'
+               ' ignored.'),
+    cfg.StrOpt('memcache_tls_certfile',
+               help='(Optional) Path to a single file in PEM format containing'
+               ' the client\'s certificate as well as any number of CA'
+               ' certificates needed to establish the certificate\'s'
+               ' authenticity. This file is only required when client side'
+               ' authentication is necessary. If tls_enabled is False, this'
+               ' option is ignored.'),
+    cfg.StrOpt('memcache_tls_keyfile',
+               help='(Optional) Path to a single file containing the client\'s'
+               ' private key in. Otherwhise the private key will be taken from'
+               ' the file specified in tls_certfile. If tls_enabled is False,'
+               ' this option is ignored.'),
+    cfg.StrOpt('memcache_tls_allowed_ciphers',
+               help='(Optional) Set the available ciphers for sockets created'
+               ' with the TLS context. It should be a string in the OpenSSL'
+               ' cipher list format. If not specified, all OpenSSL enabled'
+               ' ciphers will be available.'),
     cfg.IntOpt('memcache_pool_dead_retry',
                default=5 * 60,
                help='(Optional) Number of seconds memcached server is'
diff --git a/keystonemiddleware/tests/unit/test_opts.py b/keystonemiddleware/tests/unit/test_opts.py
index c9b1e2f5..7671a225 100644
--- a/keystonemiddleware/tests/unit/test_opts.py
+++ b/keystonemiddleware/tests/unit/test_opts.py
@@ -58,6 +58,11 @@ class OptsTestCase(utils.TestCase):
             'memcache_security_strategy',
             'memcache_secret_key',
             'memcache_use_advanced_pool',
+            'memcache_tls_enabled',
+            'memcache_tls_cafile',
+            'memcache_tls_certfile',
+            'memcache_tls_keyfile',
+            'memcache_tls_allowed_ciphers',
             'memcache_pool_dead_retry',
             'memcache_pool_maxsize',
             'memcache_pool_unused_timeout',
@@ -106,6 +111,11 @@ class OptsTestCase(utils.TestCase):
             'memcache_security_strategy',
             'memcache_secret_key',
             'memcache_use_advanced_pool',
+            'memcache_tls_enabled',
+            'memcache_tls_cafile',
+            'memcache_tls_certfile',
+            'memcache_tls_keyfile',
+            'memcache_tls_allowed_ciphers',
             'memcache_pool_dead_retry',
             'memcache_pool_maxsize',
             'memcache_pool_unused_timeout',
diff --git a/releasenotes/notes/tls-support-via-oslo-cache-51d744dd8a3f6ba0.yaml b/releasenotes/notes/tls-support-via-oslo-cache-51d744dd8a3f6ba0.yaml
new file mode 100644
index 00000000..962077a2
--- /dev/null
+++ b/releasenotes/notes/tls-support-via-oslo-cache-51d744dd8a3f6ba0.yaml
@@ -0,0 +1,4 @@
+---
+other:
+  - |
+    Added tls support to the MemcacheClientPool driver via oslo.cache
diff --git a/requirements.txt b/requirements.txt
index e5cd41a3..aebe2b02 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -3,7 +3,7 @@
 # you find any incorrect lower bounds, let us know or propose a fix.
 
 keystoneauth1>=3.12.0 # Apache-2.0
-oslo.cache>=1.26.0 # Apache-2.0
+oslo.cache>=3.11.0 # Apache-2.0
 oslo.config>=5.2.0 # Apache-2.0
 oslo.context>=2.19.2 # Apache-2.0
 oslo.i18n>=3.15.3 # Apache-2.0