Now suppose I want to go back to a plain vanilla OWA internally for test purposes. How do I do that. I have multiple interpretations of the settings required on the virtual directories, but do I have to do something in set-organizationconfig?

The SANs are all there:

CertificateDomains : {owa.mydomain.com, www.owa.mydomain.com, autodiscover.mydomain.com, edge.mydomain.com,
                     enterpriseregistration.mydomain.com, mydomain.com, sip.mydomain.com, mail.mydomain.com,
                     fs.mydomain.com, adfs.mydomain.com}

Thumbprint         : 5169E1D598829E6B74315F27F5F7A4543C78DC17

This is the certificate that is bound to the default website.

get-owavirtualdirectory returns

InternalUrl                                         : https://owa.mydomain.com/owa
ExternalUrl                                         : https://owa.mydomain.com/owa

Can someone point me to where to look to get them working again?

I get the ADFS login screen and then "something went wrong"

https://owa.mydomain.com/owa/auth/errorfe.aspx?msg=WrongAudienceUriOrBadSigningCert

How as this deployed? Are all of the support requirements on this page met?

https://technet.microsoft.com/en-us/library/dn635116(v=exchg.150).aspx

It was working until I applied CU8 (it was on CU7)

OK done that and they are all there as far as I can tell...

recycled my app pools, reset IIS, restarted the servers

Still the same. I get to the ADFS login screen but no further.

ActiveSync is working fine (passthrough in WAP)

Now suppose I want to go back to a plain vanilla OWA internally for test purposes. How do I do that. I have multiple interpretations of the settings required on the virtual directories, but do I have to do something in set-organizationconfig?