Sites like gmail, yahoo and even ja-sig wiki have a Remember Me checkbox. Cas should provide similar functionality.
A web site could contain three levels of protection:
1. Public - Any and all people can view this content ( Cas not used at all here ).
2. Previously authenticated - If you have been here before there is no need to login again. If you have the cookie, that is good enough.
3. Requires authentication. If the user want to change their password, the presence of the cookie is not good enough, they must enter user and password before they can access this level of functionality.
From the client side, it would be useful to know if they recently entered in credentials or if they accessed the site via cookie.
http://www.boxesandarrows.com/view/guiding_princip is an interesting writeup on thinking about remember me customization. They make a sharp distinction between "remember me" and "staying logged in" which I think is worth considering, especially since that's how major internet sites like banks, Amazon, etc. tend to operate – they force you to log in before doing real stuff.
Since CAS controls the login screen it needs to be involved in this kind of scenario, but it's unclear how to handle things. Perhaps more auth meta-data sent to the client, and the client forces re-authentication when they raise the needed security level? piggybacking on your thoughts on cookie login?
Or... just enhance the client libraries to set their own cookies that store something like username, but keep you unauthenticated?