I get 404 for apps after adding new cert and ip for a new apps domain

I massively edited this to make it cleaner and easier to figure out what I'm asking. As you can see below, everything worked until I added the *.contosoapps.com cert and new IP to the server, now I get a 404 whenever I pull up a page with an app on it:

Setup where my apps worked until this morning:

1. Forward lookup zone contosoapps.com with CNAME to contoso.com as MSFT describes herehttp://technet.microsoft.com/en-us/library/fp161236.aspx
2. WFE and appserver on server 2012 IIS 8
3. Main website on IIS with *.contoso.com cert on hostheader webapp
4. Dummy webapp listening on 80 and 443 with no hostheader to server apps
5. App entries were NOT being created in hosts file (apps-xx.contosoapps.com), not sure why, I saw them when I tried it as a subdomain but not when it's as a new domain. but it worked so I ignored it.
6. Contosoapps.com and constoso.com both in intranet zone
7. Apps work, I get the cert error of course, but when I hit continue everything is fine.
   
   

We finally purchased the *.contosoapps.com cert, and I began to install it. New environment that does not work:

1. No DNS change, I don't see different instructions on MSFT site so we left it.
2. 2nd IP added to webserver.
3. dummy webapp for apps is listening only on the 2nd IP
4. *.contosoapps.com cert added to dummy webapp
5. App entries still not getting created in hosts file
6. When I ping contosoapps.com from my client machine, I still get old 1st IP instead of new one
7. I receive 404 error when I go to a page on my website that contains an app.

WHat I've tried:

1. Manually added an app url to hosts on WFE and appserver (app-xxxxx.contosoapps.com). This only made it work while on the WFE, it still does not work from a client machine.
2. Even doing the above, I get prompted for a login again, when I did not get prompted before (as I said both entries are in the intranet zone)
3. Rebooted (solves many problems, but not this :) )

So now what do I do?

1. Should I still have the CNAME entry in contosoapps.com that routes to contoso.com, or change it to a regular A reference pointing to the 2nd IP? MSFT article does not say, it just says to use the CNAME. I have very little knowledge of that aspect.
2. Is the fact that there are no entries in hosts for each app a problem?