One of the easiest solutions is to not configure the GPO at all.
The CM client will configure the settings needed via local policy (it will edit the regkeys it wants them to be). If you watch wauhandler.log on a client, you'll see it do that, and then pause to see if a GPO will overwrite it's locally set policies. If not, CM will scan using your SUP.
If you currently have a GPO setting the WSUS policies, try setting those policies to "NotConfigured"--so that CM can set what it needs to set without having to coordinate getting the GPO just perfectly right.