Multi-site Puppetmaster deployment strategy

I am looking for some advice, feedback on best practices for deploying
Foreman in a multi-datacenter setup. Specifically around Puppet master

In past setups I have use the smart proxies for services such as tftp, DNS
and DHCP. I have always turned off the puppet and puppetca within the smart
proxy and used a central puppet master (using distributed load techniques
outlined in the puppet labs documentation; round robin DNS, SRV records,

Now I am looking at possibly enabling the puppet and/or puppetca service
within the smart proxy to provide local puppet and puppetca services. From
the puppet standpoint I get the setup. I would have multiple puppet masters
and would just need to ensure all manifests and modules are synced. As I am
using r10k this should be pretty trivial to accomplish.

My main concerns are around the puppetca and how that service would
function. In a standard puppet distributed setup you have a single CA which
services all puppet masters that may be deployed. This would break that
model. Having setup CA would present quite a few issues

  1. if local site puppet service is down you couldn't fail over to a
    secondary site
  2. when using services such as mcollective, standard setup is to
    authenticate using the certificates generated by puppet

Has anyone tackled this problem? Or is the suggestion to enable the puppet
functionality within the smart proxy, but to configure it to proxy CA
requests back to the one true CA (or to use ca_server or DNS SRV records to
direct the client to issue CA requests to the CA server)?