The only workaround was to log into the CLI and issue the revert command. With TAC's assistance massaging the backed up config, we were able to import it, and then use the certconfig CLI command to change the managment web interface off of the Demo Certificate. Then join the domain again, kick the proxy and all should be good.
Cisco needs to PULL 10.5.2-042. It breaks the most fundamental feature of a webfilter. If you cannot correctly identify users, how are you supposed to assign them a proper access policy in order to decide where they can or can't go? This is the cornerstone to any good webfilter and I can't believe this release has been out since 2/15/2018 and still continues to be made available when it breaks the entire operation. Thats like saying you are buying a car without a steering wheel.