An STS that does not sign its tokens is not very useful: without a signature, no relying party can distinguish between a valid token issued by STS and a token forged by someone with malicious intent.
The certificate that you install for SSL support is usually different from the STS signing certificate. The latter defines a service, not a web server. Therefore, be sure to use the SSL certificate only on the load balancer. But you will need another certificate representing the identity of the Service installed (with its private key) on each machine on which the service is hosted, for use as SigningCertificate. It must be the same certificate on each server (this is the same Service).
However, you usually do not need to buy such a certificate: you can issue it yourself - you just need to make sure that each potential relying party is configured to recognize the certificate as a reliable STS, and also trusts the root publisher of the certificate (which will be either the certificate itself, if it is self-signed certificate, or your root certificate, if you used a certificate server to issue it).