Allowing a custom factory on the outbound URL allows validation of https/ssl to be skipped through a custom TrustManager implementation. While the HTTP-based handle allows for non-secure urls, this setting is still useful for development and testing and in cases where CAS clients "require" https callbacks for proxy authentication. A custom ssl factory allows the option of, in this scenario, skipping keys and certs between the server and the respective client.
Alternatively this may be achieved by a custom servlet listener that adjusts the ssl factory for all instances of Https URLx but that would be a global change and not without side effects.
In addition to the socket factory option, allowing a hostname verifier would also be relevant, much like the way the current Java CAS client does.