I've created both an OTA update solution, and a MDM solution. The OTA app must be signed with platform certificate, or made into a privileged app (system/priv-app).
What you could do, which we've done for the MDM solution, is to create a very small application with a service that you can bind to and communicate with using AIDL, and execute the API (this APK must require the REBOOT permission, so it must either be signed, or made into a privileged app located in system/priv-app). The application should of course verify that the one calling the AIDL api is permitted (e.g. by checking that it's a system app, though not necessarily a system privileged app).
You don't need to make any changes to the base Android framework.
Hope the above was clear.