Office365 SSO fails after upgrading CloudAccess signing certificate

Customer is using CloudAccess (3.0) primarily for federation with Office 365.  Their cert used on the NCA is expiring.  Doc indicate that updating/replacing signing or connector certs should automatically update the SAML/WS-Fed SPs with the new signing cert, if they are part of provisioning setup ie. there's no need to update Office 365 configuration.

After upgrading the signing certificate, users could no longer SSO to Off365 - they would get errors from Off365 that token was invalid.

Manually force an update to the settings of the single sign-on domain using 'Set-MsolDomainFederationSettings'. In our case, our federated domain in Off365 was emea.netiq.com, and our CloudAccess box was idp.emea.netiq.com

Set-MsolDomainFederationSettings -DomainName emea.netiq.com –IssuerUri https://idp.emea.netiq.com/osp/a/t1/auth/wsfed/metadata