Little more flavor to the issue:

Opened a ticket with support and they informed me that the Managed Upgrade feature of the EMS is only to support moving to new versions of the FortiClient; not for installing new features.  They did mention that if a new feature is included in your package while upgrading, the new feature will be installed (no dice for me as I'm on the latest).

They also indicated that attempting to misexec install features in not supported - the only supported method for getting new features is to do a managed uninstall, and reinstall with the features that you need.  They did express installing pretty much all the other features, for this exact reason.

They also mentioned that you MAY be able to misexec install features, but, this is not something they support.

We are still going to try this method of getting the feature to install as we are on a tight deadline to get this product rolled out.  Any help or comments regarding is appreciated!

Edit: spelling mistakes

Alright, for anyone else following along, we tested this in our lab and came out with some positive results.  WARNING: I'm not responsible if you brick your environment, or anything else that happens - we tested this, but I'm not sure what long-term impacts this will have on an environment.  Conventional wisdom says not to mess with anything in your C:\windows\installer directory... we are doing that here.

1. get the product GUID:

get-wmiobject Win32_Product | Sort-Object -Property Name |Format-Table IdentifyingNumber, Name, LocalPackage -AutoSize

it will be the "FortiClient" named line - you can probably filter on this for automation...  These are all the same in our environment

2. run the following commands: (see comments for details, obviously, the 'meat' of this is the replacement of the MST, and running the msiexec to install the feature.)

#create a directory to work in
New-Item -Path "C:\" -Name "ems" -ItemType "Directory"
Set-Location C:\ems
#download the MSI from your ems server
invoke-webrequest -uri "https://ems.mycompany.com:10443/installers/default/wf-ra-reg-ma2/msi/x64/FortiClient.msi" -outfile C:\ems\FortiClient.msi
#download the MST from your ems server
invoke-webrequest -uri "https://ems.mycompany.com:10443/installers/default/wf-ra-reg-ma2/msi/x64/FortiClient.mst" -outfile C:\ems\FortiClient.mst
#rename the cached mst on the local system
Rename-Item -Path 'C:\windows\installer\{WHATEVER-YOUR-PRODUCT-CODE-IS}\forticlient.mst' -NewName 'C:\windows\installer\WHATEVER-YOUR-PRODUCT-CODE-IS}\forticlient.old.mst'
#copy over the new mst into the cached directory
Copy-Item -Path "C:\ems\FortiClient.mst" -Destination 'C:\windows\installer\{WHATEVER-YOUR-PRODUCT-CODE-IS}\forticlient.mst'
#run the installer
msiexec /i "C:\ems\FortiClient.msi" ADDLOCAL=Feature_SingleSignOnMobility /qn /L*vx! C:\ems\fortiems-install.log.txt
#check if it installed
Test-path 'C:\Program Files\Fortinet\FortiClient\FSSOMA.exe'

Clients immediately started reporting the feature in EMS.

I welcome any comments or discussion - we are continuing to test but will probably be rolling this out in short order.