It depends on the connections you have to the remote locations. You really only need 1 PAS. The management servers only run the administrative tasks like inventory and discovery. If you are looking at reducing WAN traffic you will likely want downstream WSUS servers in which case it can all be managed by one PAS
To add my 2 cents here:
I agree with frgpugs that typically if you have a bunch of downstream servers you'd often want downstream WSUS servers at those remote sites (unless you just have a rockin' WAN with plenty of bandwidth and/or if you only have a few machines at each site).
A Patch Manager Automation Server Role is the 'workhorse' piece that actually makes the connections from the PAS out to the targeted machines to do tasks like on-demand update deployments, Inventory, and to pull back info from Computer Explorer tabs, etc...
It is possible to install additional Automation Server Roles on other machines if desired; that would (potentially) accomplish 2 things:
- it distributes the load of a task across multiple Auto servers, so some tasks can complete more quickly
- it reduces the number of ports that need to be opened if there is a firewall between where the PAS is and the remote site from a bunch (needed for WMI communication across the WAN) to just one (port 4092 for the communication between the PAS and the remote Auto server). Once the remote Auto server has the task, it will make the WMI connections to the local machines.
So, in that scenario where you have downstream WSUS servers, it often makes sense to put a Patch Manager Automation Server Role on those downstream WSUS servers. You would then configure a rule on the PAS that says, essentially: "When i do a task to that subnet, use that Automation Server Role to do it (instead of the 'default' Automation Server Role that lives on the PAS)."
Not required to do so, but can be helpful for the reasons noted above.