So, I feel like I should respond to this as we (TAC and I) were able to figure out what was going what happened. The "untrusted CA certificate" is a new feature in version 5.4.x. If there is an issue with the certificate chain, the Fortigate will use the "Untrusted CA certificate" by default for SSL inspection.
Now this leaves you 2 options.. 1.) Deploy the "Untrusted CA Certificate" all over your environment.... no thank you.. 2.) Set the the "untrusted CA Cert" to your "Trusted CA Certificate" you're using for SSL-DPI.
Personally I went with option 2, else you will be making "exceptions" for every single broken Certificate Chain your users come in contact with (form this number has only been 2 but I anticipate more). Even if the site/url is malicous, the encrypted traffic will still be inspected and hopefully the FGT will keep out the bad stuff.
" The Linux philosophy is ' Laugh in the face of danger' . Oops. Wrong One. ' Do it yourself' . Yes, that' s it." - Linus Torvalds