I know I asked this question briefly but now here is the full detail and I'm so desperate to get some help from the Pro's..
Here is what we are trying to do
Customer has a single CM cluster one PUB CM and a subscriber at site A and site B has two subscribers , Site A to site B has 1GB WAN link. All the phones in site A and site B register securely using CTL/CAPF/Etokens all that good stuff from Cisco. TFTP and CTL/etokens for site A is on PUB CM, for site B TFTP is one of the subscribers in B side but etokens is on PUB CM since the USB key is sitting on PUB server. Now the fun begins customer decided to split this in to two CM clusters for various business reasons so site A cluster will exist and site B going with new cluster. Separating a cluster and register the phones in new cluster is no brainer but since the phones is registered securely all the site B phones will have the certificate installed with Site A publisher name or IP address. What is the best way to split the cluster so we don't have to go to each phone at Site B to delete the certificates manually.
More Info ..
Existing cluster is CM 4.1.3 sr 5 and security is set up in Mixed Mode.
New cluster at site B will be CM 6.1 and there is a new USB key we got for site B new cluster to do the secured authentication for phones.
Customer doesn't want end users to see any difference at Site B when we move their phones to new cluster, since they have 14000 CMC and 6000 FAC and lot of config's I decided to backup and restore from site A cluster and upgrade to 6.1.2 and change the hostname to match the new host names so I don't have to reconfigure everything. Since we have this secured authentication for phones I'm not sure how to do this easily because if I make one mistake then only way I can recover is to manually deleting the certificates on the phone. Hope I explained it well please advice and thanks for all your help.
If I end up doing this manual deletion is there any automated process to do this so I don't have to go to each phone.