Work around for certificate errors on internal clients using Ex2K7 via Outlook 2K7?

This may be a bit long winded so my apologies in advance!
We have a rather sticky problem with certificates on our new Exchange 2007 Client Access server set up. We are currently in the process of trying to migrate from Ex2K3 to Ex2K7. We've moved a few test clients over to the new Ex2K7 server and they are all getting certificate errors when Outlook 2007 starts up on domain joined machines (internal clients). The error states that the site name that Outlook is looking for is different from what is on the cert. And it is correct. Here is the whole sorry saga of our certificate tragedy:
We are a school in the UK. We have a publicly registered domain name that ends with .sch.uk. Our internal/private AD domain name is nearly identical to our public domain name and also ends in .sch.uk (dont ask, this was before my time) and looks very much like a public domain name. Because of this, we were unable to find a single commercial certificate provider that would include our internal FQDNs to any UCC certificate we wanted. In the end, we ended up purchasing a Digicert UCC cert that had only our external FQDNs for the CAS server and autodiscover services. We tried to work around this problem by enabling both our commercial cert as well as the default MS cert that ships with Ex2K7 which we added all of our internal FQDNs to. The hope was that the external clients would be able to use the commercial cert, while the internal clients would be able to use the default simple cert. This seemed to work for a brief time, but after a few weeks, Outlook 2K7 on the internal clients began ignoring the internal certificate and started using the commercial cert which, of course, didn't have any of the internal information on it and hence they started getting the certificate error on startup. After much wrestling with this issue, we made the decision to register our internal domain name so that we could provide Digicert with a "whois" for it and they would then be happy to add our internal FQDNs to our commercial cert. However, I then spoke to Nominet and was told that we could NOT register our internal domain name because it has the .sch.uk suffix and since we already have one .sch.uk domain name registered, we can't register another one.
We've been given two options by certificate providers, domain name registrants and Nominet alike:
1. Rename our external domain name so that it is the same as our internal domain name
2. Rename our internal domain name to use a suffix like .int or .local
Neither of these options is even slightly appealing to us so we are desperately trying to find a work-around.
I am now aware that having two active certificates running on the same CAS server is not supported. Is it possible to have two CAS servers in the same organisation and to force internal clients to use a specific one for autodiscover? If so, we could set the two up and just have the Digicert commercial cert on one for external access and have the MS default cert enabled on the other for internal access.
Any other thoughts or ideas would be greatly appreciated.  Many thanks,
Adam