As Paolo stated this is not to be taken lightly. This is one of those situations where you really want someone who's done mixed mode CUCM clusters before; there are a lot of gotchas to this.

With that said the document to start with would be the Cisco Unified Communications Manager Security Guide. It's critical that you understand how things will work in a mixed mode cluster. A few FAQ that arrise when reading that doc:

• Do I really need the pair of hardware security tokens? Yes, a minimum of two.
• What happens if I lose them? You're screwed and will have to touch every phone manually. Put one in the same place you put your backup tapes or a safety deposit box.
• Can't I use the MIC instead of generating LSCs? Not recommended. Cisco specifically says not to trust the MIC beyond CAPF enrollment.
• What happens when the LSC expires? You'll need to re-enroll it through CCM Admin. The phone does *not* auto-renew it's certificate.
• What happens when a server certificate expires (e.g. cucm-tftp)? You must renew it and then re-run the CTL Client to update the CTL file. You'll need one of the hardware tokens to sign the updated file.
• How does this impact performance/scale/bandwidth? Every call will consume more bandwidth for SRTP; re-run all of your WAN QoS calculations. PSTN gateway and media resource (e.g. conferencing) are typically cut in half from a performance perspective. IPVMSA (aka software MTP/Conf on CUCM nodes) does not support encryption.
• How do I get application X to support SRTP? Frequently you can't. An easy example of this is Contact Center Express which doesn't support it. Read the documentation of every product deployed before proceeding.
• What about Jabber? Not yet supported. Even when it is be wary of users who roam from one computer to the next. The LSC is stored on the PC and must roam with the user (i.e. Windows Roaming Profiles).

Please remember to rate helpful responses and identify helpful or correct answers.