Hello @Bojan Zivkovic ,
Based on the description above, I understand you have 3 production forests and management forest, and you want to deploy 2-Tier PKI with Standalone Offline Root CA and Enterprise Subordinate Issuing CA in management forest.
production forest1 <==> two way forest trust with management forest
production forest2 <==> two way forest trust with management forest
production forest3 <==> two way forest trust with management forest
And you want 2-Tier PKI in management forest to enroll certificates for 3 production forests.
From the link you provided, I think that your understanding is right. I mean if you have multiple PKIs in multiple forests, you can consolidate to one central PKI in one Active Directory Domain Services (AD DS) forest.
For your requirements, you can consider the article below, but there is no need to have a forest trust between the forests.
Test Lab Guide Mini-Module: Cross-Forest Certificate Enrollment using Certificate Enrollment Web Services
https://social.technet.microsoft.com/wiki/contents/articles/14715.test-lab-guide-mini-module-cross-forest-certificate-enrollment-using-certificate-enrollment-web-services.aspx
Hope the information above is helpful.
Should you have any question or concern, please feel free to let us know.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.