Trusted Publishers is a key location where the cert needs to exist on all systems, but I'm not aware that this should impact your ability to distribute it.
(The only thing that should exist in Trusted Root is the certificate of the CA.)
First step is to verify that the Patch Manager server does have the correct certificate cached.
From the WSUS node, select "Software Publishing Certificate", which should display the current cert attributes.
Once the cert is cached, the Server Publishing Setup Wizard should be able to load and distribute that certificate.