A company/organization entirely outsources its software development to another company. That's their business model. The developers working for the company whose name appears on their paycheck work for the client in every way except for who signs the paycheck (so to speak).
The entire development effort (client and developers) implements CMMI.
IF BOTH the leaders of the client company AND the developer company take part in the process efforts, e.g., GP2.1, GP2.7, GP2.8, GP2.10, GP3.2, et al. can the SCAMPI be done such that both OUs are delineated? Can BOTH organizations lay claim to a rating?
I think the key element comes down to the definition of the Organizational Unit. And you imply in your scenario that there are two OUs. One OU has outsourced the engineering work and the other OU is performing the engineering work. Given the OU definitions, I think that this scenario indicates the need for two SCAMPI appraisals. One for the client using the CMMI-ACQ since it has outsourced the development work and one for the development organization using the CMMI-DEV.