You need to define your requirement better.
You want to restrict ACS to authenticate only users with a child domain, is that it ?
Then simply by ACS to that child domain and write your access policies to verify that the users belong to that child domain. Then you're good to go