Well, I've managed to goof something up. Copied the ASCII from the latest one, from "primary", to the CS.cfg file on both servers, copied the /etc/pki/pki-tomcat/alias directory from the "primary" to the "secondary" and restarted pki-tomcat on both servers. That all said it worked. However, restarting ipa on the "secondary" now dies at pki-tomcatd. Logs showed an error of "Enter password for Internal Key Storage Token" and then the dreaded repeating "WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@14444612 background process" for five minutes until it fails. Ugh.