OTP and using a CA for host key verification?

I’d like to use OTP to give a new user their first SSH session, but I also wan’t to provide them with the CA so that they have some protection against an MITM impersonator of that SSH host. Is it possible / accepted to do this?