Well known modifications to baseline CAS 2.x:
Services whitelist
High level discussion
An important feature of CAS is its openness. Bring up a CAS instance at your institution and you can let application developers of varying trustworthiness and ability produce applications against which your users securely authenticate. Passwords are not exposed to these potentially suspect applications. There's a lot to be said for not having to centrally manage the set of applications authorized to use your central authentication server.
However, some institutions nonetheless want to restrict the set of applications able to authenticate using CAS. This is typically implemented as a whitelist of services. Service tickets will only be vended for whitelisted services.
Feature specification
CAS administrators can specify a whitelist of services. CAS will only vend tickets for these services. It is easy to implement compelling user factors / UI for the case where the service is not authorized for ticket vending.
Implementation notes
This can be implemented under CAS 2.x as a Filter which examines the "service" parameter of the login / proxy request and forwards to an error page if the service is not authorized. A similar implementation may be very possible under CAS 3.0. That is, this feature may not require any changes or accomodations by the CAS server product itself.