I guess given a proper mangling of the input even a single nonce should be sufficient for most purposes (eg. the SHA256 of a predetermined public server seed + nonce should be unpredictable enough for a single random outcome. A much slower cryptographic hash would likely be preferable though). I'm not sure whether including multiple nonces would up the security level that much (ie. since an attacker would know the other nonces, they could adjust their nonce-"space" accordingly). But like I said, I'm not sure whether such an attack would be viable to begin with.