Probably not. You have to create complex external scripts, IMO. As you seem to have learned, patching is more political than practical some places.
Generally, most of the Sun/oracle sites (educational) I know use pkgadd for oneoffs, and PCA as the primary tool.
We have a lot of M4000's and our mgt forbad patching. We're commercial, all of our boxes are essentially clones and have recently been forced to override mgt. So we just looked at PCA and are trying to get it.
Patch Check Advanced
Try that in lieu of Puppet. You need to look at terms of use for PCA - the only drawback.