OK. Well that was annoying. (partly because I'm dumb - ServerCADir/ServerCAFile in the old AOLserver 3 part of config.tcl are unsurprisingly not relevant when we're running on 4.5.1)
In case anyone has the same problem and finds this thread, what works for me is putting all the certs in one file that's referenced by the CertFile parameter. Order is significant - the file must contain your site certificate first, then the cert for it's signer, and so on back up to the trusted root.