Does the ASA copy the ToS byte from the original packet into the newly created IP header of an encrypted packet (VPN)? I'd appreciate a pointer to a Cisco doc that has the details.
On the ASA the TOS bits in the original IP header are copied to the IP header of the encrypted packet so that QoS policies can be enforced after encryption.
It is done by default with no extra commands needed as on the routers.
Please check if your incoming packet have the DSCP bits set if you see that there are no DSCP on the outside.