We just completed an almost identical project. Using Ansible, drop a file to tag the machine as being ready for patching. That tag can either cause the computer to join a group or directly cause the relevance of the patching action previously opened. In your Ansible sequence, if you want to do more following the completion of the patching, just leverage the SOAP API to query the state of open action for the computer and when completed, proceed to the next phase. Ansible does have some problems with the sequence failing to re-connect to the computer following reboots so it worked best just leveraging the SOAP API.