According to Cisco guide if you have 'use tls certificates' the only option checked off then you must exchange tomcat certs between the publisher of hub and spoke cluster.
Recently in my lab server the tomcat cert expired and i had uploaded new CA cert both on hub and spoke a month back and still I can see the ILS last contact time updating without any issues. Please see below screenshots, below is the cert of hub cluster with the expiry
Below is the list of certs in spoke cluster with hostname: edipvluccmlab01 tomcat-trust list, the cert that i have of hub cluster is an expired one
Below is the snapshot of ILS configuration from spoke cluster, you can see i've just the TLS certificate check box ticked.
i was expecting it to show like below, which is from another cluster
Looks like you use CA signed certificates. With this your CM nodes will have the CA root and if applicable intermediate certificates in the tomcat trust store and with this you don’t need to exchange the tomcat certificate between your nodes.