We recently ran into an issue where using a new Digicert certificate essentially broke activesync for most people in the company. The issue is that the new root certificate for Digicert isn't compatible with older browsers and devices (they don't come standard with the new root certs for Digicert like they might with Verisign and others). The primary phone of the organization was a Motorola Q, which made the issue quite visible.
The problem boiled down to this root cert taking precedence over the intermediate cert (Digicert calls it eclipsing which I suppose is a more valid term), which would have worked fine. After the Digicert Root Cert was removed, the issue was resolved.
Note: Be sure that the intermediate is in place and functioning or else you will break all of the modern phones and browsers as well.
Also as an alternative fix, you could install the root cert on the phones in question. This is more labor intensive, but might be viable if there are only a few old straggler phones floating around.
You can also run a good test for this and other issues at: