This is a another follow up to my earlier post on changing the token signing certificate for the SharePoint STS as described here: http://blogs.technet.com/b/speschka/archive/2014/05/06/updating-trust-between-onprem-farms-and-acs-for-apps-when-your-sharepoint-sts-token-signing-certificate-expires.aspx. As I mentioned in that post, you will undoubtedly wind up in this situation if you configure your farm to use low trust apps, because as part of creating the trust with ACS you need to change the STS' token signing certificate. As part of that process, one of the side effects is that it changes the realm associated with your SharePoint farm. The reason why that's important to you as it relates to high trust apps is that the farm's realm is part of the identifier used with the SPSecurityTokenIssuer used for high trust apps, as well as the identifier for individual apps. For example, here's what the identifier looks like for one of my SPTrustedSecurityTokenIsssuers:
The first part of the identifier (before the @sign) is the issuer ID for it; the part after the @sign is the realm for the farm. The impact of this is that all of your high trust apps will no longer work after you change the token signing certificate for your farm's STS. The work-around to get things going is as follows:
Once you do these steps your high trust applications should start working again.