I agree with Ray that most of the heavy lifting for that scenario would be in the application. However, what is going on is that there are different levels of access based on the session context.
So if I am able to log in simply because of a long-lived session cookie, I have access to some parts of my user data. But to make changes or spend money, I need to have additional authorization, often in the form of a more recent authentication.
CAS can still be a component in that kind of authentication/access control decision, but the enforcement of such a policy is typically within the application. For example, an application may allow you to view your data with a simple authentication. But in order to modify or access your stored credit card information, you may be required to authenticate with some kind of MFA. CAS can provide attributes that can aid the application in deciding whether or not this type of access should be granted. But it is typically the application's responsibility to enforce that kind of access control.
Thanks,
Carl Waldbieser