Maybe you could leverage Dynamic Client Registration : http://www.keycloak.org/docs/3.3/securing_apps/topics/client-registration.html , there you could , on the fly, set the correct redirect URL when passing the Client Representation to the client registration endpoint.
But that implies to have a `Initial Access Token` , these are generated by Keycloak and should be passed to UPS in some way. These tokens can also be created by invoking a Admin KC Endpoint, see an example here : https://github.com/keycloak/keycloak/blob/master/misc/keycloak-test-helper/src/main/java/org/keycloak/test/TestsHelper.java#L190-L196