I'm an idiot!
I figured it out. In our case we did need to include the trust chain.
So I just did this:
#cp ourcert.crt ourcert_bundle.crt
#cat ourcert.crt > ourcert_bundle.crt
#cat gd_bundle.crt >> ourcert_bundle.crt
The gd_bundle.crt is the cert bundle from go daddy.
Then I imported the ourcert_bundle.crt into the CPPM. The Server Certificate, Intermediate CA, and Root CA all now show under "Server Certificate"
Our Apple and Android devices are no longer complaining about not trusting the cert on the CPPM.
The worst part is now that I have done this I remember doing this the last time. But for some reason for the life of me I couldn't remember it :(
Thanks for the help!
Cheers
------------------------------------------------------------------------ EDIT
I think there is something wrong with how the certificate is loaded on the CPPM.
When we issue the command below it spits out a bunch of errors:
openssl s_client -connect <domain name>:443
depth=0 OU = Domain Control Validated, CN = <domain name>
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, CN = <domain name>
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, CN = <domain name>
verify error:num=21:unable to verify the first certificate
verify return:1
When we upload the commercial cert we loaded the "cert bundle" provided by Go Daddy into the "Trust List" of the CPPM.
Does the certificate that we upload need to include the trust chain as well? Or just the certificate issued by our CA?