Self signed certificate on the sbs server was about to expire.
I renewed it with the "fix network" tool, and it is updated ok.
However now my phone will not sync.
I tested with a second phone and if I delete and add the account again it works fine - however this is not convenient for lots of staff / accounts.
I have sent the new certificate to the phone via another account and installed it, and I can browse the OWA site ok from the phone.
I notice there appears to be no way to delete the old certificate from the phone.
I have read on some sites that the phone should have the root cert not the leaf.
I understand the root cert is the one created in the public\downloads folder on the server - which I have sent to the phone.