Two things come to mind:
1) Depending on your downstream settings this could be effected, so make sure they're replica servers otherwise you will need to approve or potentially publish the third party updates directly to the downstream WSUS server.
2) Make sure they have the WSUS publishing certificate as with your client machines. The chain of trust needs to be complete from the PAS to each WSUS (and downstreams) and client machines. If you don't have the certificate on the downstream servers they won't trust the third party updates. You may also need to enable the Allow signed updates policy if you haven't: