There are many different things you could do, the issue is communicating to Play which user is currently logged in. The redirect could easily be handled by an Apache out the front, but you would still need something to verify the SSO cookie. This would normally be in Play, and for that you need a CAS client making calls on the CAS server. This really shouldn't be hard to implement, since they provide a working Java client. I've implemented integration with an SSO server in Play 2 before (not CAS, but I've worked with lots of SSO services before, they are all the same, you find an SSO cookie, you verify it against the SSO server, if it verifies, they are logged in, if not, they aren't), you're looking at about 100 lines of straight forward code max (assuming the CAS client API is simple to work with). Just implement an authenticator that checks for a session, if it finds a session, verify the session matches the current SSO cookie, if it finds no session, check for an SSO cookie, if it finds an SSO cookie, call the verify method on the CAS client, and if it verifies, add the user and the cookie to the current session.
If you *really* didn't want to implement it in Play, your alternative would be having Apache add a header to requests when it finds and verifies an SSO cookie, and then write an authenticator in Play that uses this. But it really would be easier to implement the authenticator in Play.