The primary function of a SEG is to protect your Exchange infrastructure. Instead of allowing your devices to connect to your Exchange directly for EAS connectivity, they will instead connect through the SEG in front of your Exchange. Within the SEG, you can set policies to ensure only enrolled and compliant devices can access mailbox. You can also set additional policies to restrict attachment type as welll as mail client that can access mailbox. Without the SEG and based on your Microsoft KB, you can also set up certificate based authentication except the leg work is within Exchange. Like Luke mentioned previously, you will only configure and deploy the cert to your devices with AirWatch and yes you can proceed without the SEG.
I am in the same boat now where introducing new technology involves multiple teams. I can imagine the challenge but I think in the end it's all worth the extra mile for the end users.