Autodiscover and Certificate name mismatch. But where is the certificate?

I'd be pulling my hair out over this one if I had any.

Scenario:

Two CAS servers load balanced using MS NLB.

NLB DNS: mail.domain.local

Host 1: cas1.domain.local

Host 2: cas2.domain.local

Email domains: company.com, company2.com

Both CAS servers have the same certificate assigned to them. It is an internally generated certificate that is signed by our internal CA.

The Subject name on the cert is: mail.domain.local

SANs: mail.domain.local, autodiscover.domain.local, autodiscover.company.com, autodiscover.company2.com, cas1, cas1.domain.local, cas2, cas2.comain.local, portal.company.com, portal.company2.com

This certificate has been assigned to the CAS servers using powershell for IIS and SMTP.  It is the ONLY certificate on those CAS servers.  I have verified in IIS that that cert is bound to the Default Web Site for port 443.

Internal Autodiscover uri: https://mail.domain.local/autodiscover/autodiscover.xml

External Autodiscover uri: https://portal.company.com/autodiscover/autodiscover.xml

There is TMG proxy to handle the external Autodiscover which uses a public GoDaddy signed cert and has the following Subject and SANs.

Subject: portal.company.com

SANs: portal.company.com, portal.company2.com, autodiscover.company.com, autodiscover.company2.com

The rule tests out fine in TMG.

The Issue:

Recently we went through a rebranding and updated all of our mailboxes to use @company2.com as the default SMTP proxy address.  So I have updated all our internal and external autodiscover certs to reflect that new domain.

Internally and externally Autodiscover works fine for user@company.com.

Externally Autodiscover works fine for user@company2.com

However, internally whenever I try to use Autodiscover for user@company2.com I get a pop-up warning me about a name mismatch on the certificate.  Here is the strange thing.  If I view the certificate details it is a PUBLIC WILDCARD certificate that we used way back before we switched to public SAN certs for the external side and internally signed SAN certs for the internal side.  I have NO idea where this cert is assigned or why Outlook is hitting a server with that cert when it's doing and Autodiscover.

According to the Test E-mail AutoConfiguration in Outlook for user@company2.com it's looking at the SCP in AD which returns https://mail.domain.local/autodiscover/autodiscover.xml and Autodiscover is successful. But I still get the certificate warning pop up.

Can anyone suggest where else I should be looking for that wildcard certificate?