DEP is separate from AirWatch enrollment. When devices are properly assigned, DEP directs iOS devices to an MDM solution, AirWatch, IronMobile, JAMF,etc.
If your Apple DEP configuration in AirWatch has ' Lock MDM Profile' Enabled AND you need to do this because your APN certificate expired, I am pretty sure you need to do a device wipe in order for the new certificate to be installed to the device. When the Lock MDM Profile is enabled, a user cannot remove the Device Management profile, meaning it cannot be un-enrolled.
For any situation, I always go with Erase All Content and Settings on Corporate Owned devices.
At setup, the device will check with Apple. If device is in DEP, it will be directed to your AirWatch OG, as configured. The device will receive your AirWatch DEP profile and assignments.
Make sure that you MDM server certificate and your VPP token are not expired.