I ended up downloading an intermediate certificate bundle from our cert provider, both InCommon RSA Server CA, and USERTrust RSA Certification Authority, and imported those in to the intermediate certificate store. I deleted the two expired certificates. Restarted the server and bingo, the cert chain is clean, and after a reboot the old legacy WYSE clients started working again.