What the developer says, from the description is sensible to me, but the problem is theirs.

To verify that this is exactly what is happening you can do a wireshark capture and then decode the flow as SSL. If the problem is that the client do not trust the certificate send by the server and reject the connection you will see it in the handshake in the wireshark.

If you use a java client you could run it with -Djavax.net.debug=ssl to see the ssl messages from within java.

If this is indeed the problem then you must configure the client’s truststore to have the certificate send by the server (which is the original one).

If this configuration is possible of course… This depends on the application

UPDATE:

Well if you migrated to a new CA, i.e. you deploy a new certificate in your interface, then sorry to say, it is “your” -meaning the server side- error.
IMHO, if it is possible, you should redeploy the old certificate for a prespecified period, communicating to all the stakeholders that you plan to migrate to a new certificate signed by a new CA, so that the clients don’t break

Then it is their responsibility, within that period, to “fix” their client apps to be able to accept the new certificate. This can be as simple as configuration i.e. importing the certificate to a truststore, to as “complicated” as to change code and rebuild the client app (e.g. if the new issued certificate does not have extensions that the code is verifying or the CN has changed etc).

If it is not possible to redeploy the old certificate then, you just have to communicate the change to all stakeholders and then, they should “fix” it accordingly (as mentioned above)