Thanks everyone for your interest in this topic and helping me understand the follies in my ways. I see now how this is not the right way to go about the problem due to technical design limitations. We have decided to go with a single CA and deal with a provisioning outage, at least until the downtime becomes unacceptable. Thanks again everyone.