Also, sorry for the followup, but I forgot to mention.
All services and communication seem to be working with the exception of the following:
1. The joining new servers to IPA as the downloads the bundle for path A still and puts in
in /etc/ipa/ca.crt which will then fail on the API calls to IPA.
2. Executing an ipa-certupdate on any hosts fails. For the ipa-certupdate to even work, I
have to manually clean up the ca.crt with only the path C CA certificates. Then it'll
start to work and hit the api, but when it rewrites the /etc/ipa/ca.crt file and fail on
the last steps.
I'm guessing the join and update are both getting the CA certs from API which is
reaching into the LDAP db itself. If I can get those old CAs removed and new ones added,
I'm hoping all will be fixed.