Hi Kevin,
In this scenario that you explained, SCCM act as a proxy between AMT-clients and your internal CA to issue TLS certificates. However, I would like to to advise you that exist a compatibility issue for provisioning *only*, between AMT 9 and beyond with SCCM - What I would recommend you is use Intel SCS for provisioning, it won't affect SCCM capability to manage these AMT-client machines - you can use this add-on for integration.
You will also found further documentation about this process in User Guides with these components and do not hesitate to send us your questions/doubts.
Best Regards!
-Bruno Domingues