Hi,
Please excuse me if I mis read your question but it seems as if you want to change the root CA that signed the ACS' certificate? The reason for this is because people outside the company will come and connect to the wireless network?
I dont think this is an big issue because root certificates are not meant to be extremely secure, anyone can join the wireless network and then receive a prompt flagging them to not trust the ACS since it isnt signed by a trusted CA. All the user has to do at this point is to accept and they can trust the ACS to send their credentials. As far as gaining access to the network the ACS still has to validate the user.
Let me know if that is the question you are wanting answered.
Thanks,
Tarik Admani