...
Signing, rather than encrypting, the information in a ticket granting ticket is probably sufficient. The content of an eventual ticket validation responseOut of the box, CAS does not authenticate services validating service or proxy tickets, and so the full content of the ticket validation response is available to the possessor of a ticket granting ticket, service ticket, or proxy ticket. Of course, if you were to selectively enhance the ticket validation response on the basis of authenticating services requesting ticket validation, via such means as client certs on those requests, to restrict who has access to what information in a validation response, then the tickets containing this information would need to be encrypted rather than just signed.
Alternatives
An alternative approach is to cluster CAS by sharing state across CAS server instances in a cluster. This shared state could be in an RDBMS or in a messaging, in-memory Java state cache.