Wrong WSUS WUA server assigned to DMZ agents

Having a problem with the WSUS part of SCCM 2012 not working on agents in our DMZ. These agents have PKI certificates from internal PKI, and are appearing in the console as active inventory.

Because many parts of the SCCM roles must be configured for HTTP or HTTPS and not both at the same time:
1 - these agents are on a boundary that assign them to a MP that is configured for SSL. Agent control panel shows correct MP.
2 - these agents are also in a collection with different client settings to assign them an 8531 appcat.
SDCSCMP23 is the HTTP WSUS/Appcat/MP for internal agents
SDCSCMP25 is the SSL WSUS/Appcat/MP with PKI certs for DMZ agents

The problem is that SCCM is configuring these agents to use the HTTP parts of the Infrastructure for WSUS, and not the HTTPS parts. Per MS Doc, Client Settings are supposed to auto assign an HTTPS appcat before an HTTP one, but this was not happening, so I made my own client settings to assign the HTTPS appcat.
Simply modifying the firewall config to permit 443, 8531 to this other server is NOT an option, because those servers are listening on 80, 8530 (for internal HTTP agents) not 443, 8531. We have a requirement to use only 443, 8531 for the DMZ agents. Have verified that 443, 8531 are open through the firewall to SDCSCMP25 from the agents. This is SCCM 2012 SP1. We are NOT assigning WSUS servers through GPO.
How do I get SCCM to assign the correct WSUS servers to these agents?

WUAHandler.log
Enabling WUA Managed server policy to use server: HTTP://SDCSCMP23.ACME.COM:8530
m_spSearchJobUpdateSearcher->EndSearch(m_spSearchJob, &spSearchResult), HRESULT=80072ee2 (e:\nts_sccm_release\sms\client\updatesmgmt\wuahandler\cwuahandler.cpp,3064)   WUAHandler  4/11/2013 6:09:59 PM    1480 (0x05C8)
OnSearchComplete - Failed to end search job. Error = 0x80072ee2.    WUAHandler  4/11/2013 6:09:59 PM    1480 (0x05C8)
Scan failed with error = 0x80072ee2.    WUAHandler  4/11/2013 6:09:59 PM    1480 (0x05C8)

WindowsUpdate.log
2013-04-11  18:09:05:376     828    15fc    Agent   ***********  Agent: Refreshing global settings cache  ***********
2013-04-11  18:09:05:376     828    15fc    Agent     * WSUS server: HTTP://SDCSCMP23.ACME.COM:8530 (Changed)
2013-04-11  18:09:05:376     828    15fc    Agent     * WSUS status server: HTTP://SDCSCMP23.ACME.COM:8530 (Changed)
2013-04-11  18:09:35:641     828    1668    PT  +++++++++++  PT: Synchronizing server updates  +++++++++++
2013-04-11  18:09:35:641     828    1668    PT    + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = HTTP://SDCSCMP23.ACME.COM:8530/ClientWebService/client.asmx
2013-04-11  18:09:59:235     828    1668    Misc    WARNING: Send failed with hr = 80072ee2.
2013-04-11  18:09:59:235     828    1668    Misc    WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>
2013-04-11  18:09:59:235     828    1668    PT    + Last proxy send request failed with hr = 0x80072EE2, HTTP status code = 0
2013-04-11  18:09:59:235     828    1668    PT    + Caller provided credentials = No
2013-04-11  18:09:59:235     828    1668    PT    + Impersonate flags = 0
2013-04-11  18:09:59:235     828    1668    PT    + Possible authorization schemes used = 
2013-04-11  18:09:59:235     828    1668    PT  WARNING: GetConfig failure, error = 0x80072EE2, soap client error = 5, soap error code = 0, HTTP status code = 200
2013-04-11  18:09:59:235     828    1668    PT  WARNING: PTError: 0x80072ee2
2013-04-11  18:09:59:235     828    1668    PT  WARNING: GetConfig_WithRecovery failed: 0x80072ee2
2013-04-11  18:09:59:235     828    1668    PT  WARNING: RefreshConfig failed: 0x80072ee2
2013-04-11  18:09:59:235     828    1668    PT  WARNING: RefreshPTState failed: 0x80072ee2
2013-04-11  18:09:59:235     828    1668    PT  WARNING: Sync of Updates: 0x80072ee2
2013-04-11  18:09:59:235     828    1668    PT  WARNING: SyncServerUpdatesInternal failed: 0x80072ee2
2013-04-11  18:09:59:235     828    1668    Agent     * WARNING: Failed to synchronize, error = 0x80072EE2
2013-04-11  18:09:59:235     828    1668    Agent     * WARNING: Exit code = 0x80072EE2

It seems to me that the core issue here is the attempt to configure multiple SUPs (one SSL, one not) within the site. You can only have one Software Update Point (SUP) per site, and the SUP is either SSL-enabled, or not.

I see only have two possible options:

1. Enable the SUP for SSL and require SSL for ALL clients.
2. Install a secondary site in your DMZ with its own SUP.