The Client Certificate Management tool available in Patch Manager leverages WMI and some methods in our WMI Provider to load the certificate into the appropriate certificate stores on the client system. One of the advantages to this methodology is its ease of use in a multi-domain scenario, because it only requires local Administrator privileges to access WMI. At the same time, one of the disadvantages is that it does require remote WMI access, which is blocked (by default) in the Windows Firewall on Vista and newer operating systems. Ironically, the very thing that can easily mitigate the Windows Firewall issue, a GPO enabling that ruleset in each domain, can also be used to distribute the certificate.
However, if you already have WMI enabled and working (the ruleset is already enabled, or the Windows Firewall is disabled), then the Client Certificate Management tool can be very beneficial in quickly distributing the certificates to the client systems without having to hassle with Group Policy creation. It distributes them on-demand or as a scheduled task, to one or more individual systems, or by Domain, OrgUnit, or WSUS Target Group -- leveraging all of the standard computer selection and task management options available in Patch Manager. (I often find that targeting this task to the "All Computers" group is quick way to make sure every machine is on the distribution list.)