So far through my investigation i found that the jabber guest api and the sdk are different things, initially i though they where the same, sofar i found you actually have 3 SDKs and 1 API or at least that is how is presented on the documentation. so invoking the jabber api from outside doesn't seem a very good idea security wise.

For the link portion of my problem i was investigating using the JG api to dynamically create links and change the caller name, however a new version of JG now allows the caller name to be inserted on the jabber gest url dynamically, so that issue is solved

For the certificates its still unclear but i will test this soon,  if you develop your own Jabber Guest app for I,E Iphone, the question is what are the public Certificate required for the https/tls communication, i now suspect the certificate portion is handled only by the express way E/C pair and therfeore the public ca that  the app should use is the same as the one on ExpE/C pair

Jabber Guest relies on a native binary component - in browsers and mobile - to establish the secure connections to Expressway; I think it's safe to assume it relies on the local OS's cache of CA certificate authorities by default, into which you could install custom CA certificates as well.

The 'link management' API would typically be used by an application inside the firewall, which would be coordinating with an external-facing webserver to dynamically create/delete routing links to be used by JG users.  It would still be via HTTPS, although typically the API endpoint would not be exposed to the external internet.