Cross-Certification for Non-Windows Clients

Still trying to get more information on getting my SHA256 root CA certificate signed by my SHA1 root CA (temporarily), and having non-Windows entities recognize that:

Creating Cross-Certification between two root CA's within the same organization (one hierarchy is all SHA1 and the other is all SHA256) and distributing the CrossCA certificate is painless enough for Forest members because it gets published to AD and from their comes down to the Forest member certificates store (Trusted Intermediary).  But what is the best way to get non-Windows end entities to also recognize the CrossCA certificate?  The RFC (http://tools.ietf.org/html/rfc5280#section-4.2.2.1) states you can configure the AIA extension to point to a collection of certificates, but then that means (unless I am missing something) I need to modify the AIA extensions configuration on my SHA256 root CA to point to the PKCS7 container on my http location, then issue my SHA256 SubCA certificates to my subordinate CA's.  So this way when my SHA256 subordinate CA's issue end entity certificates to non-Windows entities the chain of trust will go back to my SHA1 root CA.

Both hierarchies are 2-tier.

End Entity cert from SHA256 Subordinate CA --> http location specifying the location of the SHA256 SubCA .crt --> http location specifying the location of the exported Cross-Certification certificate in PKCS7 format (which contains the SHA256 root CA certificate and the SHA1 root CA certificate).

Does this seem like the correct configuration?  If so, how easy will it be to remove this configuration when the cutover is complete?  If this is all correct then I assume the only way to remove this configuration is to modify the AIA extension of the SHA256 root CA and then issue new SubCA certificates to my SHA256 subordinates.