Wow, an entire month and nothing?
Well I am here to tell everyone, do not tread into this transition lightly.
I have worked with TAC slowly over the last couple of months to make sure this was a straight forward and easy transitions, but I am disappointed to say, I have been bitten by the complexity that this change makes to our configuration.
First of all, if you are using Split-tunnel on your RA-VPN, DO NOT go by the instructions in TAC Doc#117693: ASA VERSION 9.2.1 VPN Posture with ISE Configuration Example. (First order of business that I take issue with is, the entire document mentions nothing about a VPN ACL (split tunnel or otherwise) and does nothing to describe how such an ACL would be overridden by ISE. It just has you create an ACL ('Redirect') on the ASA that is not assigned to anything, then in the ISE configs tells you to tell ISE to call on that ACL at some point.
It took me hours of working with TAC to get my split-tunnel config working correctly before we even started reworking the ISE side of the config. And now we are sort of in limbo with our VPN users because at this time anyone that connects to the VPN has full internal network access even before the NAC agent pops up to start the posture process and it stays that way, pass or fail.
We currently have Cisco jumping through hoops to get this config solved.
In general I think that if we didn't use split-tunnel things would be much smoother on this, but things as they are, we are unable to change that.
Working with TAC we can clearly see on the ASA that the dACL is being pushed to the VPN users, but it seems the split-tunnel ACL from the original VPN connection is forcing precedence over any ACL pushed down from ISE.