Do I need to host the CMP JS script on my site domain?
No, as long as the CMP JS script loads in the 1st-party domain, the CMP will be able to store consent as a 1st-party cookie.
For server to server ad calls that take place before content is returned to the browser, do I need to add CMP JS to my pages?
Yes, include CMP JS because occasional downstream creatives and pixels may need to obtain consent. However, if you are confident your property only conducts S2S ad calls you may opt out.
Yes. The interface is standardized so that any client-side component that ingests and interprets consent can get this from the CMP JS.
How does CMP JS work with creatives inserted into iframes?
The IAB spec specifies iframe communication to and from the CMP JS be allowed via postMessage()/safeFrames. See the example above in the Ad Call/Pixel integration section.