o.k. Finally got things working.
Firstly I tried generating a cert with SAN entries of the form IP:<cppm1>,IP:<cppm2>.... etc. did this over the whole cluster and rebooted them all.
This worked from the point of view that in Access Tracker I could view all entries from every cluster member ( 2 in this case). The problem was that although this bit did. work, replication didn't so so I started seeing replication errors in the event log. If left unchecked I guess my cluster members would have dropped out of the cluster
I then changed the SAN entry to be of the form DNS:<cppm1>,DNS:<cppm 2> ...... and rebooted them all
And this time not only did Access-Tracker work but so did replication.
Final tidy up increasing the cert lifetime to 5 years and that's it sorted.
At some point I'll do our production cluster , but that'll require a SAN statement with 10 IP addresses
Thanks to jpearcy00 for his comments