Now where's the problem? Well in the various applications we need to authorize the user depending on their position in the company. So it could be that the "Tom" in Domain1 can access an application but the "Tom" from Domain2 not. So how we can distinguish between the two "Toms"?
Despite that some of the applications, basically the ones that are developed in-house, can be extended to consider the domain passed as argument(see CAS & Attributes), there are some third party apps that cannot. So how those applications could have worked before? Basically for those we have one running version per domain, which solved the problem.
For those now we had to find another way. As we cannot check it on the application side the domain check needs to be implemented on CAS meaning that on "validateServiceTicket" another check to the authenticating Domain needs to be placed.
Important in this case is not to change to much of the original structure of CAS, in order not to loose the possibility to update when CAS updates. The solution has not yet been implemented nor tested, so stay tuned for the solution post.
UPDATE: Finally there is the solution