OK, I think I worked it out ...
The request needs to be sent to the relevant auth location
and the payload needs to be
{"resource": "authz", "status": "deactivated"}
Working perfectly in all my tests 
so the GetSSL client now supports this
2 Likes