...
Tickets have two properties. They have a "grantor" property, that is either null or the GrantingTicket that granted them. They also have a String identifier which uniquely identifies the ticket from a large namespace. Part of the identifier is drawn from a large space uniformly at random. This is key to CAS's security.
GrantingTickets add to Ticket an additional property: the immediate authenticated Principal to which the GrantingTicket was issued. This might be a user Principal, in the case of the GrantingTicket that is stored into a secure cookie in a user's web browser, or this might be a service Principal, in the case of a GrantingTicket that was issued by secure callback to an application or to an otherwise authenticated application out there on the Internet.
ServiceTickets add to Ticket an additional property: the Target to which the ServiceTicket is intended to authenticate.
It's turtles all the way down.