As you most likely will not be assigning SIP addresses with the domain.local namespace you'll only need to support the domain.com SIP namespace. And since there is no mention of an Edge server I'll assume you are planning an internal-only deployment with CWA published to the Internet to allow for browser-based client access for external users. Thus, here is a general overview of the minimum number of components you would require:
1. A single SSL SAN certificate for the Standard Edition server with the Common Name set to the server's FQDN (e.g. ocsserver1.domain.local) and a single SAN entry of 'sip.domain.com'.
2. A single SSL SAN certificate for the Communicator Web Access (CWA) server. See this thread for more details on using a single certificate for both MTLS and IIS usage on the CWA server:
http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=75Self-signed certificates cannot be used for OCS and will not work.