1 - they can actually be the same top level domain, you just need to change your General Settings > Web SSO settings for instance, I could set the sso domain to .ibm.com intead of a more specific domain, where my servers are in test.org.conx.ibm.com and portalserver.portal.ibm.com
2 - It's much easier if they use the same repository, but it is not required, as long as the ltpa token is used to login to the secondary server such as connections.
3 - well, what ever group you have in your corporate ldap that is set to manage portal, and the ids which you have to access the portal. generally these should be either mail;cn;uid