You can have multiple root CAs to help facilitate a slower transition. The root CA configured ion the client communication tab of the site is used for client cert selection and this CA is also added as a trusted root on devices going through OSD.
What's happening to old root CA?