Darren,
I have had a number of discussions with VMware regarding this configuration.
The general concensus was to create two separate SSO environments - one at each site and use the local AD DC's as the LDAP targets for the AD Identity Source.
I have set this up a number of times now and it has worked well. When you install it, select the option to add the first node of a highly available configuration. That way you can migrate later if things change
Regards,
Sean