Hello!
In regards to question #2..
Is this just for Onboard or company 802.1x?
In general for 802.1x..
In your Windows SSID profile - do you have "Validate Certificate" checked? Also - do you have "Connect to these servers" with a fqdn entered in here?
If you do - then you absolutely don't want to change the CN in the certificate since that would cause windows to NOT connect. In Clearpass you would be seeing alot of timeouts with errors like "Client did not complete EAP transaction".
If you want to change the CN you should change the GPO that push your SSID profiles and add the new name as valid servernames to connect to.
For Onboard.. If you change the Radius CN I'm pretty sure it would break the certificate validation for the currently enrolled devices and make them unable to logon. Depending on the type of device it might just cause them to get a popup just to authenticate connecting to that new server. Still - more noice for support which I'm sure you don't want ;)