Assume for the moment that these work individually:

Outputs1
[tcpout]
defaultGroup = primary_indexers
forceTimebasedAutoLB = true
forwardedindex.2.whitelist = (_audit|_introspection|_internal)
useSSL = true

[indexer_discovery:company]
pass4SymmKey = passhere
manager_uri = https://clustermanager:8089

[tcpout:primary_indexers]
indexerDiscovery = company
sslCertPath = $SPLUNK_HOME/etc/apps/allforwarders_outputs/local/cert.pem
sslRootCAPath = $SPLUNK_HOME/etc/apps/allforwarders_outputs/local/cacert.pem

Outputs2
[tcpout]
defaultGroup = heavy_forwarders
forceTimebasedAutoLB = true
forwardedindex.2.whitelist = (_audit|_introspection|_internal)
useSSL = true

[tcpout:primary_heavy_forwarders]
server = y.y.y.y:9997
sslCertPath = $SPLUNK_HOME/etc/apps/uf_outputs/local/othercert.pem
sslRootCAPath = $SPLUNK_HOME/etc/apps/uf_outputs/local/othercacert.pem

If I understand the documentation correctly all we would need to do is this:

[tcpout]
defaultGroup = primary_indexers, primary_heavy_forwarders
forceTimebasedAutoLB = true
forwardedindex.2.whitelist = (_audit|_introspection|_internal)
useSSL = true

[indexer_discovery:company]
pass4SymmKey = passhere
manager_uri = https://clustermanager:8089

[tcpout:primary_indexers]
indexerDiscovery = company
sslCertPath = $SPLUNK_HOME/etc/apps/allforwarders_outputs/local/cert.pem
sslRootCAPath = $SPLUNK_HOME/etc/apps/allforwarders_outputs/local/cacert.pem

[tcpout:primary_heavy_forwarders]
server = y.y.y.y:9997
sslCertPath = $SPLUNK_HOME/etc/apps/uf_outputs/local/othercert.pem
sslRootCAPath = $SPLUNK_HOME/etc/apps/uf_outputs/local/othercacert.pem

Is this correct? In this configuration the exact same data would be flowing to both destinations? There would be no issues binding the certifcates to different stanzas?

I appreciate the responses.