No, they simply need to be able to authenticate to each other once the agent is installed. That means they can communicate on the required ports (typically port 80; 443 if SSL) and the task ports (50120-50124). If your application identity doesn't automatically have rights across multiple domains, or the domains are untrusted, you may need to use an Agent Connectivity Credential that is separate from the application identity:
http://www.symantec.com/docs/HOWTO4752