I ended up re-doing it with the tomcat alias and the matching hostname. It works but not sure if I screwed something up with the CSR the first time or if one of these was necessary for it to work.
Anyhow - cert from
www.instantssl.com worked flawlessly when I did it this way.