Hi @craiglebutt
Do those four PSN's sit behind a load balancer? If yes, then there may be a chance that the load balancer is terminating the TCP connection for the SSL - which means you need to install the new certs in the load balancer too. I have run into this situation before on F5 LTM's.
If there is no load balancer involved, then I assume you have four AuthZ Profiles that redirect to the appropriate PSN based on the ISE Hostname ? And that also means you need four DNS entries (e.g. guestportal1.somedomain and guestportal2.somedomain, etc.) where those FQDNs map to the correct IP address of the respective ISE node.
Ensure that DNS is not being blocked for Guests - using a windows/mac device, just check that you can resolve all four ISE FQDNs from the client.
I have a feeling that your PSN is returning the wrong URL. If you don't have a load balancer then you HAVE to make ISE "self aware" in the AuthZ Policies to return the correct URL redirect for each individual PSN. Your guest devices MUST talk to the same PSN web server (via DNS lookup from the URL) that was using during the initial MAB request (the NAS has a config that tells it which PSN it chooses as Primary, Secondary, Tertiary, etc.)