We've been using SCUP 2011 + SCCM 2012 in one forest and have created a cert for SCUP from our domain CA. Now we need to service another forest. I need to add a cert to that new forest so that it's clients trust SCUP. Do I need to install another SCUP server in the new domain with it's own CA-is

Cert trust has *nothing* to do with Active Directory, domains, forests, or trusts. Systems trust a cert and the CA that issued that cert because they have that CA's cert in the trusted root store.

AD helps facilitate the distribution of the root CAs cert so that clients within a specific domain trust a CA and with an enterprise CA, this is done for automatically, but there's no reason that you couldn't do this manually using group policy also -- the results are *exactly* the same.

The only caveat here is that at least one of the CDPs for the PKI must be available to the clients in the other domain/forest. This last part may already be set up or maybe not. If not, it will cause you pain though. You should get a PKI smart person involved ASAP though to verify this.

Thanks for the reply Jason. Good points. I'll post a question out on the TechNet PKI forum for more guidance.