Ticket expiration policy is the primary configuration point for CAS security policy.
New CAS documentation site
CAS documentation has moved over to apereo.github.io/cas, starting with CAS version 4.x. The wiki will no longer be maintained. For the most recent version of the documentation, please refer to the aforementioned link.
Although there are many other aspects of security policy that can impact overall security policy of an SSO solution, e.g. password expiration, most of those are outside the scope of CAS configuration. Password expiration is probably the most requested security policy feature of CAS on the cas-user list, and there have been some attempts to provide extension to CAS for this feature. LDAP Password Policy Enforcement (LPPE) is one such solution.