Under normal circumstances CA PAM goes to the internet when deploying the CA PAM Client. Specifically, files are retrieved from an AWS Service called Cloudfront, which is used to distribute binaries. You can go to https://d21oi5tjuccwe.cloudfront.net to see what is available. This includes the installers for the various platforms we support, the different versions of CA PAM for which it is available, and the Java runtime executables. The url will open into XML code, but you can easily identify this information by locating the KEY tags. Here are a few:
In order to set up your private CDN you must do two things. The first is to build your depository. You just need to match the directory structure at the location used by CA PAM. You can see that structure at this url: https://docops.ca.com/ca-privileged-access-manager/2-8/EN/implementing/accessing-your-appliance-server/ca-pam-client-for-alternate-appliance-access#CAPAMClientforAlternateApplianceAccess-ServeCAPAMClientInstallers. You will have to download, or otherwise obtain, the various binaries and place them into the correct folders in your CDN. Once this is done you will have to configure CA PAM to point to your private CDN. You can see this in the screen capture below.
At this point, CA PAM is ready to deliver the installers and Java runtime executables from the private CDN. Your users just need to select the client they wish to download from the login page, assuming that you've enabled the Download Button, as above. This does not allow for an admin to push out the Client to their users. That would require a separate process, which might depend on your organization's environment.