The machines will not autoenroll even though they have autoenroll policy enabled and are permitted to the CEWS SSL template with read, enroll and autoenroll permissions.
this is expected. Machines do not autofill subject field. It is possible to renew against the template that require manual subject by enabling a checkbox that allows to reuse the subject from renewal certificate. But that's all.
The Requestor's Active Directory Object is not in the current forest.
that's correct. When CA attempts to query object that belongs to another forest from local DC it receives the LDAP referral which requires LDAP referral chasing: https://learn.microsoft.com/en-us/windows/win32/ad/referrals. To enable LDAP referral chasing on CA, you have to run the following command:
certutil - setreg Policy\EditFlags +EDITF_ENABLELDAPREFERRALS
And restart CA service.