This is in reference to Jasig's CAS software and I'm looking for a checklist to audit the state of security of a CAS implementation. While the Jasig site has a lot of documentation and their mailing list is active, is there any reference document or standardized checklist for security auditors to refer to?