We have the CAS server return a hash in extraAttributes called "MemberOf" that returns every group the user is a member of. I do feel that the next version of CAS should formally address this as part of the main spec. But our MemberOf is paired to AD; but I'm sure it could be configured to work with a non-AD data store.