You probably should open a PMR to make sure you have all your issues handled, but here's a little detail on how I'm dealing with my airgap and some warnings from my own support call.
First off, the fixlets in the new RHSM patching model requires that the client be subscribed to the "Patches for RHEL x" site. You can use custom copies of the fixlets, but they depend on Site Files attached to the RHEL site to do some of their client-side processing.
You'll need to use the RHSMDownloadCacher tool to download and create a repository for your RHEL patches. Have you gotten that to work yet? The download files don't live directly in sha1 anymore. The new RHSMProtocol:// handler requires that it exists as a YUM repository (which the RHSMDownloadCacher generates.
To use the repository in an Airgap, you must host a copy of the repository directly on the BigFix Server (Windows), or to local storage or NFS mount on Linux. You install the RHSM Download Plug-In on your Airgapped BigFix Server. Once that's done, under the BES Server installation directory, you'll get a DownloadPlugins folder that will contain the RHSMProtocol folder. Edit the plugin.ini to point to your airgapped repositor and set the localCacheOnly option. I changed the following lines in mine:
; Original entry had forwardslash at CurrentSiteData/DLRHELRepoList.json
primaryRepoListFile=D:\Program Files (x86)\BigFix Enterprise\BES Server\GatherDBData\gather\Patching Support\CurrentSiteData\DLRHELRepoList.json
localCache = D:\Program Files (x86)\BigFix Enterprise\BES Server\wwwrootbes\CustomSites\RHEL_Repo
localCacheOnly = yes
rootCertDir = certs
Beneath the RHSMProtocol directory, I created a "certs\cert_set_1" folder, containing my RHSM certificates. Strictly-speaking I don't know whether that's required on the Airgap side, or only on the Internet-facing BES server, but I have it on both.
The RHSMDownloadCacher does indeed download a lot - it builds an entire repository mirroring everything available from RHSM. I don't think there's any way around that; I've asked for options like "only Relevant fixlets" but I don't think there's going to be any motion on that. The RHSMDownloadCacher is also unnecessarily slow in that it also validates by checksum all of the existing files in the download repository, and it looks like a future version will add an option to skip the validation. In my environment it takes about 5-6 hours nightly to run the download cacher. I'm hosting about 160 GB of patches in my repo, covering only RHEL 6 Server and Workstation, x86_64. I like your scripts, and maybe you can try to parse the fixlets and use the "download specific package by name" parameter for the cacher, but the client does its own dependency resolution and may download dependent packages during the action so be ready for that.