Let's see if I can hit as many of your requirements as I can.
Use ITMS to automate and manage Macs:
This can be done but it takes some planning and setup. You can image Macs, install a base OS or configure OS X all through ITMS. You would use the Symantec tools provided to great .NBIs (similar to WinPE PXE images) and then deply those to your PXE server. These files will allow Macs to NetBoot (PXE Boot).
One word of caution: like with Windows, you will most likely need a few different .NBIs to boot your Macs and you will always want to create the .NBI from the newest piece of hardware you have. An example: The 2015 Retina iMacs will not boot from an .NBI built from a MacBook Pro from 2014. The drivers aren't included in the base OS so they won't be there in the .NBI and there is no real way to add them.
Join Macs to AD
Very possible, even if you just do it from a small script task. One or two lines is all you need since there's a command-line method for binding to AD. Other considerations would need to be investigated (UID, GID number matching for example) but possible and we do this all the time.
Leverage GPOs:
You're out of luck here unless you use third party tools like ADmitMac or Centrify (which you say you could use. Their website quotes $4 per user/month). A few years ago you could extend the AD Schema to allow Workgroup Manager on an OS X server to manage some Mac settings through GPOs but Apple did away with WGM in favor of profiles. You can manage many policies with Profile Manager (does require running Apple's Server.app available in the Mac App Store on at least one Mac). Other policies, depending on what you want to do, can be handled through scripts, configurations with .plist files and more.
Allow remote management is also easily configured from a command line. A single line can turn on and enable management so that won't be an issue
Add root CA and WiFi certs
This can be done through the use of profiles, and there's a task for that, or very easily from a custom package or custom script. We just did this on all 1,000+ Macs here, all using a custom package but adding a cert is just another one-liner.
Install ITMS agents:
Similar to Windows. You can include the SMA in your base image (remembering to remove the host.GUID file from /opt/altiris/notification/nsagent/etc/ before snapping the image). You can then add sub-agents into your deployed machine or the image, whichever you prefer.
Install Software:
Once the image is deployed and agents are installed you can deploy software from the Software Catalog just like you would a Windows machine. ITMS can use .pkg, .mpkg, .dmg and .app files. I have had some hit-or-miss tries with this with the most luck coming from having everything be pulled form inside of a .dmg (you can create these from a command-line or Disk Utility on any Mac).
Set User and Management Defaults:
Yes and no here. This all depends on exactly what you're doing. Unlike Windows, OS X doesn't have a registry to worry about so settings per user are mostly contained in .plist files in their home directory and can be manipulated using the "defaults" command or by just editing the files. Network access is more complicated. We mount 3 SMB shares at login for our clients but we use a custom script to do so at login. There are many different options depending on what you want.
Patching:
You can do some light remediation with ITMS but it isn't an Apple SUS so it relies on going out to Apple for its updates. You can tell it to do some or all but it is always a pull and clients can update manually at any time as well. If you want to limit which updates they can see, you would need to either host Software Update on an internal OS X server or run Resposado on a Linux server and point your clients to that machine. This, of course, means they can't update off the network but you can limit what gets updated (example: you might not want to allow them to upgrade to OS X 10.11.4 when it comes out in case there are bugs in the release, you'd rather wait 2 weeks before allowing it. You'd do that at the SUS server).
DEP is not required but is handy with Profile Manager if you want to make sure machines are configured out of the box. It takes some setup and doesn't really relate here. We don't bother using it for our Macs but we do for all of our iPads.