To put certificates into the Management Engine the both tools Manageability Director and Manageability Commander can be used.
Since we dont know, whether it is allowed to redistribute the Manageability Director, we need to know, whether there are other tools with which certificates can be put into the ME and with which the ME can be configured to use TLS.
E.g. the AMT-WEB-Interface, WinRM, etc ?
The appropriate WS-Man calls are all that's needed to put certificates into the ME and configure AMT to use TLS. The SCS performs this functionality, you can use that directly to configure the systems.
As far as developing your own, theoretically you could use WinRM (or any other WSMan client)directly to configure TLS, but it would be fairly cumbersome. The next step easier from that would be to use the WS-Man client libraries out of the SDK, or the javalib library provided on the site. The next step easier from that would be the SCA example in the SDK, also contains information on configuring systems to use TLS (although that's in EOI implementation instead of WS-Man, so it should be used more as an example along with either of the previous libraries mentioned).
Basically the approach you take depends on the level of customization you need.