Hi Ayaz.
IP phone can download the new cert from asa only if the old one is still valid.
You should upload the newly created cert to CUCM as phone-vpn-trust and add it to gateway certificates.
Once that has been done, cycle the phone.
HTH
Regards
Carlo
Please rate all helpful posts
"The more you help the more you learn"