We did this when we rolled out CAS 5 as well. New servers, new DNS names,
the whole deal.
To answer your specific questions:
1. We generated new ones. I don't think you have to, but it just seemed
to make more sense to "start fresh" so we knew what components we had
installed.
2. It
We're finally getting up to CAS 5.3.x, and for a variety of reasons, we
built a new server with a different host name. As part of the transition,
we'll be updating the "Third-party identity provider" settings in Google
Apps with the new URL and keys.
As I'm sure others have gone through this, so
