Take a look at:
It allows you to import certificates into Firefox via command line.
You could then create a custom def that runs the list command first to see if your Cert is imported or not and then add it via repair action. You could also just create a package deployment and have it run the import commands and push it out.
Hope this helps get you down the right path,
The problem with NSS certutil is that there's not a current compiled binary publicly available and any binaries that I could find were at least a couple years old. Going that route involves the extra complication of getting the source and then compiling it for Mac. We may end up having to use the suggestion for firefox found here for Managing security certificates from the console - on Windows, Mac OS X and Linux - Sadique Ali.