The short answer is yes, CTS can be deployed manually. But the published TrustSec solution guides really rely on the dynamic functions of ISE to provide classification of endpoints, and administration of policy. I cannot stress enough the value that ISE provides in being able to control this solution.
What you described is entirely possible, you can manually configure SGT mappings, you can manually configure SGACLs, but consider the operational cost that manually maintaining all of this requires. ISE provides a central policy service to tune and push these constructs and it's very good at it. CTS manual will forward tags inline without ISE being involved, SXP can be configured without ISE (doesn't scale well), and policy can be enforced if you created it in the correct spots.
I would strongly recommend against going down this path.
This guide provides the configurations to manually configure TrustSec on IOS XE devices. Because no one section contains everything, this will also be the link that provides the SGT to IP options you would require.
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cts/configuration/xe-16/sec-usr-cts-xe-16-book/sec-usr-cts-xe-16-book_chapter_01101.htmlThis specific section provides the steps to manually configure SGACLs.
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cts/configuration/xe-16/sec-usr-cts-xe-16-book/sec-cts-sgacl.htmlCTS manual/CTS propagation is described in its own section.
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cts/configuration/xe-16/sec-usr-cts-xe-16-book/cts-sgt-handling-imp-fwd.html
