A possible explanation for the mismatch in the certificates would be if the ADFS server in question has switched signing certificates after the connection was configured. When you save the connection and you have provided a metadata URL then that URL is queried to obtain metadata information so this would explain why saving without changes addresses the situation as the save would get the new signing certificate from the metadata URL.
When you provide the metadata URL there’s also a periodic job that will check for updates to the metadata file, however, I’m not sure of the frequency so if the ADFS server completely removed the old certificates and replaced them with completely different ones then there would always be some period of time where the mismatch would occur.