I just wanted to share the scenario and fix for similar types of hierarchy as we do. Currently, we have 2 domains that we deal with. Domain1.int and Domain2.int (for examples). In Domain1.int, we have our Enterprise CA which handles all the the domains certificate needs. In Domain2.int, we have
out SCCM SP1 Primary Site Server named pri-sccm01.domain2.int. We were able to exclude the 3rd party certificate as the source of the issue because
we could get the OOB SP to recognize, connect, id the machine as a vPro box, and start the provision. It looked like there was a problem with the Web Server certificate not being able to see the trusted root. Becuase of this, the process broke down as it was not able to issue a certification for the machine
to be provisioned.
In Amtopmgr.log, we saw the following "Missed device certificate. To provision device with TLS server or Mutual Auth mode, device certificate is required." So we referenced http://technet.microsoft.com/en-us/library/cc161803.aspx and saw the corresponding entry. At first we a certificate chain issue and something wrong with our PKI. While that was a problem, it wasn't the root cause. The issue is that our SCCM OOB Point needed access to act as a CA itself to have permissions to and revoke certificates. The problem is that we didn't anticipate the issue from our lab testing. We set up our lab as a single domain with the CA and the SCCM box on the same level.
Ultimately, the fix was the next entry below the "Missing device certificate..." entry. Upon inspection of the amtproxymgr.log, we saw ERROR: ICertRequest2->Submit failed: 0x80070005. The issue was that we needed to get our pri-sccm001.domain2.int into the security group CERTSRV_DOM_ACCESS in domain1.int. We bounced the server and we were then able to provision machines pretty happily. I hope this helps someone down the road. Happy trails!