From a newsgroup post: "This means that your certificate is not issued to the pool name. Please check the certificate on the front-end servers (belonging to the pool) and ensure that they match the pool FQDN.
In rare cases, this can also happen due to badly configured DNS. When the server tries to resolve the host, it gets an IP address of a server that does not belong to the pool".
From a newsgroup post: "The certificates used are directly linked to the FQDNs targeted. Therefore, if your AP targets FQDN lcsfe.contoso.com but gets a certificate for sip.contoso.com back, it is going to encounter connectivity issues.
There are other options available if you would like to use different FQDNs but make it so that employees do not need to configure their clients for a different server:
1. Internally you can deploy a policy to specify which server a client will target.
2. You can deploy SRV records which will direct clients to the correct FQDN. Read the Live Communications Server 2005 Document Planning Guide for details.
If you are concerned about the cost of public certifications, you can use your own internal CA for your front-end certificate and then deploy the certificate chain for your CA across your internal machines".