I ran into this issue a few months ago with my organization. I know this post is a few months old, but figured I would add on. The issue is with Windows Update KB3172605, the depreciation of SHA1 certificates. This blocked IE from accessing any CUCM, CU, or UCCX sites. I initially thought this was because the tomcat cert that the systems used were self-signed certs. We had other systems that were SHA1 but still worked, but also were using our wildcard corporate cert. I retrieved an internal Microsoft CA cert and uploaded it but was still unsuccessful. I opened a TAC case but they stated that they don't support the versions we were running (8.0.3) and the only option was to upgrade to at least version 10.0 since it is the earliest release that supports SHA2. Our versions doesn't support SHA2 at all or wildcard certs. That isn't an option for us. So I have found two ways to get around it besides just removing that update.
a) Get websites to work in Chrome. The site would allow us to access it, but the drop down menu's didn't work. So using a GPO you can force install the Chrome Add-In "IE Tabs". This allows the drop down menus to function
b) Change the GPO for the SSL Cipher Suite Order. I found another Cisco Support page of others having the same issue. Their proposed resolution was to change this specific Windows GPO. I have tested this option and was able to get it to work. The only issue I ran into is my org uses Direct Access for remote users and the provided order broke DA. So after a little modification I was able to restore the DA issue, and still have the sites accessible.
http://www.cisco.com/c/en/us/support/docs/customer-collaboration/unified-contact-center-express-1061/200556-UCCX-10-6-Pages-Does-not-Load-in-IE11-Af.html
I hope this helps others. I am still looking/hoping for a more permanent solution to this issue. As of January 1st, 2017 none of the major browsers will support SHA1 so I fear these work-arounds will no longer be effective.
Thanks,
Matt
