Comodo now known as sectigo, now uses a 3 step certificate chain instead of four. After the 30th of may the old certificates are no longer valid.
Managed to put the three certificates into a new certificate chain and imported it into clearpass.
The subscriber needed a services restart but back to normal again.
Browsers and devices usually handle this themselves, but you have to do it manually on clearpass.
I live and learn
Thanks!
PS Thanks TAC team