Thanks both. I'll probably set it up like roag said and just point it to DC=mydomain,DC=com because I don't need to control access at the SSO level more than that, because vCenter access is all controlled by AD groups on there anyway, so it'll make it easier have it referencing my whole domain anyway.
Thanks guys!