In most environments when you attach a Polycom phone to a Lync infrastructure, the phone will automatically apply the root certificate and TLS communication will work properly.
We recently ran into an issue where Lync was setup with two different certificates, one external with an intermediate certificate authority and the second was an internal certificate with an untrusted root. The phone, which was a Polycom VVX 410, would not download all the necessary root certificates so we had to use another method to do so. No need to re-write the process in doing so as Jeff Schertz has done excellent blogs on Lync Integration with Polycom SIP phones https://blog.schertz.name/2011/12/lync-integration-with-polycom-sip-phones/ and on Importing Certificates with Polycom UCS https://blog.schertz.name/2012/11/importing-certificates-polycom-ucs/.
One note, if you are using a certificate that requires an intermediate root CA, you will need to add both the root and the intermediate certificates to the Polycom phone. If you use the XML method with a Polycom provisioning server, you add the first cert with sec.TLS.customCACert.4 and the second cert with sec.TLS.customCACert.5. The key is that the number at the end of the parameter tells the phone where to place the certificates. Certificates are read from 1 to 6. CA 6 is where the certificate is typically downloaded by default.
Jacob Eker, PEI