Right, you need to give a different listening port for each. I typically set the 1st CWA virtual server to 5061 and the 2nd virtual server to 5062.
As a side note, if you're attempting to do SSO with OWA or SharePoint you will lose some functionality of CWA R2 like the Meet Now ability for anonymous participants. If you have an internal user who tries to use Meet Now via Communicator and emails the link to an outside user they'll get a URL that looks like
https://CWA-Address/join?....
Your ISA is going to block that connection and attempt to authenticate the user if it's performing the pre-authentication. I battled with this for awhile and finally conceded to just do a SSL pass through to the CWA virtual server with FBA. In the end, the functionality was more important than providing SSO.
The Meet Now join URL is based off your CWA URL, so you can't really use a subdomain, which rules out a different listener with no authentication for those connections. Maybe it's possible to edit that URL in WMI, but I wasn't that adventurous.
If you do manage a workaround for this to enable SSO and the Meet Now functionality I'd love to hear what it is.