Another one of those questions which come up…..
Firstly adding new SIP domains is usually best done with which a bit of planning i.e during the design phase with major upgrades. so do try and avoid things until then.
However, if you really need to add an additional SIP domains, the following actions must be taken:
- Add additional SIP Domains to Lync Server Topology and publish updated topology
- Rerun bootstrapper process on each Lync Director and Front-End Servers (to add additional IIS rewrite rules)
- Request/issue/install new Front-End and Director Server certificates (from Internal PKI) with additional subject alternative names (SAN’s) on each Front-End/Director Server Pool (and restart services)
- Request/issue/install new Survivable Branch Appliances certificates (from Internal PKI) with additional subject alternative names (SAN’s) on each SBA (and restart services). Note this is primarily for SRV records and SRV priorities
- Install new Front-End Server certificate on Hardware Load Balancer (for cookie persistent for Lync Mobile 2010)
- Request/issue/install new Front External Web Services certificate (from public CA) and install on all reverse proxy server and update web listener (TMG) or trunk (UAG) to use new certificate plus update publishing rules
- Request/issue/install External Edge Server certificates (from public CA) with additional subject alternative names (SAN’s) and install on each Edge Server Pool
- Add Internal DNS zones and/or records or DNS pinpoint records
- Add External DNS records
- Enable/Update Lync Users to use new SIP domain
Word of note when changing SIP domains or changing the meet URL, just remember the online meeting invitation have probably been sent so if you change the meet URL then people want be able to join!
TOP TIP! I usually include at join.<primary-sipdomain.com> in my planning at design phase for web services certificate SAN’s just for this very reason so you can at least get a new a SIP domain up and running quickly with manual configuration and manual federation to take to heat off till your next major upgrade.
UPDATE#1 (08JAN2014): Having clarified with the MCM community. It is not required to replace the Oauth certficate in Lync Server 2013 when adding new SIP domains even thought by default the Oauth certificate includes SAN’s for each SIP domain as  “A realm is simply a security container. By default, Lync Server 2013 uses your default SIP domain as its OAuth realm.”
 Managing Server-to-Server Authentication (Oauth) and Partner Applications