I believe you would need to get users to re-onboard in order to add the new trusted root certificate to the client.
To force users to re-onboard I would create a new boolean attribute with an initial value of FALSE. Then write an enforcement policy that checks whether this attribute is present or set to FALSE when a client authenticates. If it is not present or is FALSE, then send a new user role back to the controller which forces the client to re-onboard. Once the onboarding is complete, you set this attribute to TRUE so that the next time they authenticate they don't get the new user role.