The Org Zoo
First you have to register only once as partner. Then I see really no need for your migration of the packaging org for your base-package. The one Enterprise Org is purely for administration usage and typically not for development. Usually you would like to install the LMA and use the Environment Hub there.
You can leave the developer orgs just where you started the development initially. If your ISV process is completed, you can simply log a case and the support will upgrade your original DE orgs to all the specs as if they would have been created via the hub or partner portal.
So to be clear: you need 3 DE orgs and not 1 EE plus 2 DE for the pure development of your app.
Push Flavours
If you have your partner process completed, you have this feature by default. Maybe you have to log an additional case for those of your DE orgs form you pre-partner-time. Unfortunately you get only a "light version" by default. Those push upgrades even for partners come in two flavors: Push-Minor and Push-Major. With push-minor you can only change existing components, which is in fact not very helpful for most use cases. And for push major - and that's the sad truth - you need to pass the security review.
You can read a bit more on that here:
Since I'm unhappy with that situation, I plan to development an automatic pull-upgrade mechanism which eventually might overcome this limitation. MetadateAPI should make it possible.
Extension Models
Now a few words to extension packages: in my experience the way the platform deals with extensions brings you more problems than benefits. You get dependent packages by installing the base package into the extension (DE) org and then starting to develop stuff there using components or apex of the base org. If if you update classes in the base org you need not only need upgrade the base package in the extension org, but also to manually update the version number. Developing simultaneously base and extension felt so uncomfortable and time consuming that I gave up this approach totally.
An other point you have to keep in mind is that you should try to have all your DEs on a single pod (like na9 or eu3). You find everywhere that it does not matter on which pod you are - but that's only the half truth. If you upload a package you get it immediately for install on the same pod. On all other pods, you have to wait 5 to 10 minutes before your installer-link becomes usable. If you need to upgrade it often, this will eat up a lot of time. To move orgs afterwards between pods is hard an will be mostly rejected by the support. Then you have to do it manually.
But instead I use a different approach for extensions. And I use it heavily and in many projects.
What I do now is to create a couple of independent packages - each one in a separate DE org. At least in the eyes of the platform I keep them unrelated. I get this by only touching the objects and fields dynamically and by the pure usage of dynamic SOQL. You can't do everything dynamically in Salesforce - but a lot! Apex helper classes I usually have as redundant copies in all orgs. In case of updates I deploy them to all orgs. I make extensive usage of the schema functions. Needless to say that I consume MetadataAPI and ToolingAPI like a junkie in all projects.
This part I can't really recommend for beginners but in my most recent projects I'm creating the entire data-modell dynamically using MetadataAPI/ToolingAPI after install. So even if the client uninstalls the packages - he still has his data in his org - without costly ETL or data-migration.
I also tend to write wrapper classes to get a less verbose apex code especially for the schema functions. The buildin syntax sucks. I published some of my helper classes here: https://github.com/UweHeim/xt
What you get is that the platform will become blind for your dependencies now. You can install, update and uninstall each packages as you like. The platform does not bother you any more by preventing it. Of course you can break now a lot things, of course as a tradeoff you loose all help from the platform and you have to deal with all unmet dependencies dynamically and on your own.
You can have a look at CodeFusion, which is a private managed package (as you like it) and has also two extension packages (as you plan). This is the base:
And here are the extensions:
This is a free and native developer IDE which I plan to opensouce in the future.
I try to keep the packages as loosly coupled as even possible.
note: This original issue was based on Mobile SDK 3.1 & 3.12. I believe it may be present in 3.2, but I don't have an active project with which to confirm. I have been testing 3.3.3 lately, and am no longer seeing this issue, although I am seeing other issues.
I did find a workaround for this, based on points 4 and 5 above. In my custom login page, I call an action method in the controller on page load:
<apex:page controller='SiteLoginController' action='clearSid' ... >
The clearSid method checks to see if the current request has a sid param but the user is not logged in (see update 5 above); if so, it redirects the user to the app's landing page without the sid param. At that point, the user is just trying to access a protected resource, so the system redirects back to the login page, only with a session id.
While this prevents the app from being locked for ever after a timeout, session refreshes are not working correctly. I believe that to be a separate Mobile SDK issue, which has been at least partially resolved in 3.3.3 (see link above for more).
Best Answer
With Enterprise Distribution:
If you're not using an Enterprise profile, you have to manually collect and include UDIDs of the devices you want to allow in your provisioning profile. This is generally what you do for beta testing an app prior to release.
Long story short, I think your focus on a private Appexchange listing is misplaced. The first question you should answer is whether you're going to list your app publicly on the Apple app store, and if so, why bother with Enterprise distributions?
Enterprise Distributions are intended for apps internal to a single company, as the name suggests. They are not intended for distributing a private app outside the Apple app store.
EDIT: So You'd Like To Brand An App (Or: How I Learned to Stop Worrying and Love the App Store)
Let's say you have an iOS app that should be branded individually for each of N customers.
A: Solo Enterprise
B: You Have No Chance To Survive Collect Your UDIDs
C: Public
You cannot use an Appexchange listing to host an IPA file. You need generic file storage (I've used S3 for this) and an installation page your users can access on their devices.
From your comments below, it sounds like you are headed towards Option A. It is irrelevant whether your Appexchange listing is public or private or how many listings you maintain; you will inevitably be shut down by Apple. In case it's not obvious, I think only one of the above options is worth your time. :)
Edit the second: There is one additional overwhelming advantage that is unique to Option C: all of your users receive updates simultaneously and can update without waiting on their admin to distribute your IPA to them... unless, of course, you are hosting the IPA file yourself and built your own app updating and notification mechanisms. (You did? STEP BACK FROM THE EDGE!!!)
Option C might be ruled out if you are using private APIs or engaging in certain other skullduggery that Apple frowns upon. (You did? STEP BACK FROM THE EDGE!!!)