As you already have a load-balanced/failover setup, your process for upgrading the OS is grealy simplified.
Obviously get everythin ready for a DR (backup of the keys, DB and everything is always recommended). Hopefully you won't have to use them.
It should be as simple as:
- Shutdown and rebuild SEPM1 with new OS
- Log onto SEPM2 and delete SEPM1 from the site (under ADMIN -> SERVERS in the SEPM console)
- Install SEPM1 as additional server to existing site (maintaining same SEP version)
- Done (Rinse and Repeat)
The certs are stored in the DB, which is why copying these is not invovled in setting up an additional SEPM in the first place (http://www.symantec.com/docs/HOWTO26807). Just make sure you leave enough time for the clients to pick up and swap over to the other SEPM at each point, and you should be fine.
Essentially, after step 2, you're in the same state as if you were just running a Single SEPM site with an off-box DB. You're just adding a "new" SEPM into an existing site at that point.