Took longer to get things lined up than I'd expected, but we now have a VRRP-mated, redundant-master pair using the IP of the old master and there were almost no hitches.
I took the former local (3600) controller and the RMA replacement (3600) controller and made them a VRRP pair on a spare IP address to test. Then took them off the production switch and cabled them together so they could still talk but not be seen by the world.
With them isolated, I changed their virtual IP address to the current master IP, added the tunnel interfaces and moved Masterhood to the newer unit and confirmed configuration sync and handoff etc.
To make the swap, I disconnected the LAN cables from the outgoing single-failing-master and connected the pair of redundant masters, and everything but three tunnels came back up.
For some reason I had to go to the far end controllers for those three tunnels and shut/wiat 5 minutes/no shut the tunnel to get traffic to pass.
Now everything seems to be good.