This is what I think after spending a few weeks trying to load balance the traffic using 3 CAS servers for L3 OOB mode.
I understand the need of PBR or ACL to force the traffic from auth VLAN to the untrusted side of the CAS.
Once the CAS is selected, the CAS server should be bale to perform NAT (or PAT) to change the source address to the trusted side address so that the return traffic will come back to the right CAS and there is no need to do PBR for the return traffic from DNS or to apply class maps to the ACE etc.
Why can't Cisco make it easier by doing NAT on the trusted side and all we have to do is take care of the load balancing on the untrusted side?
Unless Cisco does this, I do not think the L3 OOB is ready for enterpises in my opinion.