David,
You can have the cert issued for your top level domain, then use DHCP Option 15 to specify the domain the vPro will need to use when provisioning machines. This is technically theory, and I have only done limited tests with it in my lab. However I am able to successfully provision machines with certs from other domains using this method.
Bryce.