In response to your questions:
1. Yes, you should supply them with a new PEM/CER file prior to your certificate expiring.
2. From our perspective you can use an expired certificate. We don't validate the certificate (ie check its expiry date etc). However, I'm not use whether Ping performs any sort of certificate validation. You would need to check with the identity provider. Hopefully their configuration supports configuring both certificates (the old and new). This makes it easier to seamlessly handle certificate rollover.