So I have done a bit more to try and resolve this. Seems I have been here before (well nearly): iOS Ziti Client cannot connect to controller. In that instance, I had a red dot, but now I have a green dot, and an API connection.
So, I decided to recheck my PKI and make sure it is all correct. Especially since the router changed the certificate. I had not updated the client certificate on the controller for the last couple of years. Mostly because it worked. But, could this be the issue? no 
So, going back to basics, my cas.pem still contained some intermediate certs. I had thought that I had removed them. I followed through this: Python SDK throws "Controller not available" error - #27 by dmuensterer and got that sorted.
I then followed Certificate Expired - #2 by gooseleggs to recreate all certificates, including client certs.
Now, following this: PKI Troubleshooting | OpenZiti from top to bottom I am getting ============ SUCCESS! ============ for all tests. I cannot test the iPhone identity, but I used an identity that is/was working.
I have then re-enrolled the iOS phone, and still no dice.
So, I have now verified (and likely corrected) the PKI and all tests are returning good, so where I thought that PKI might have been a problem, I don't see that it is now.