There is now a "Reference Architecture" section in the Identity Suite documentation. In particular the "Logical Architecture and Network Context"
Regarding your question about separation of the components, one guide is the required spec for each component in a production environment. And also it's typical to divide by tier.
So your front end tier would be Identity Portal, Identity Manager and Identity Governance. Each of these requires 8 GB of free RAM in a "production" deployment, as well as the RAM required to run the OS. The recommended spec is 16 GB of RAM and 4 virtual CPUs (see here for full details). This would imply a single component on each vApp as there's not enough RAM there for two components. Alternatively, you could deploy a vApp with, say, 30 GB RAM and more CPUs, and then deploy all three front end components.
The Provisioning Server, Connector Server and User Store are all considered back-end components. They also have lower memory requirements (6GB, 2GB and 4GB respectively). So they could all go on a single server.
Obviously, database must be external for a production deployment, and can be any of the supported options. And you will need an external Windows server to host the Windows Connector Server and other administrative tools.
It also depends on your expected load. For high expected transaction volumes, you may wish to separate all components and even increase the memory available by customizing the JVM start-up parameters as described in the "custom JVM arguments" section here.
Assuming that you want HA, you would then need 2 of each server type (except the central log server).
Pearse