For the most part of what is described, Moodle 1.9.x can do. Am doing same with a TCEA Area 3 implementation of Moodle (tcea.org) and 4 School District Moodles each hosted on a different internet domain (visd.net, wisd.net, fcisd.net, goliadisd.org). Two ISD's use Active Directory LDAP, one uses Apples Directory LDAP, one uses Manual accounts in their own networks. In one of above (the largest), they have 33 Elementary schools each with their own Moodle authenticating via AD LDAP and each is linked to an Elementary HUB.
Two things that might make it easier for you:
In the participating Moodles to be mnetted (and the HUB), add this line to their config files BEFORE setting up the mnetting between sites:
$CFG->mnetkeylifetime = '356';
Where 356 is however may days you desire the certificates to be valid.
The admin interface for mnetting servers doesn't provide a setting/dialog box to set this value.
2. All access from mnetted moodles to the hub will grant users access but will assign them roles as student by default (including teachers). While in the HUB one can take an account that has authenticated via mnet and escalate their access level to a teacher role in the context of a category or course, it might be best to have those that will be teachers on/in the HUB apply for account on the HUB directly.
Be happy to discuss more or even grant some limited access if you desire. Please contact off list.
'spirit of sharing',
Ken