Hello BB, yes we are on the right path here.  Your suggestions got me thinking, although creating a separate network zone for a single client would be a nightmare, I could probably use ISE policies to either push an ACL when they connect to Wired or Wireless LAN or change their VLAN membership (and ultimately segregate them).  I do need to check if changing VLAN membership is supported on a wireless network. 

Thank you!

I was able to get this working.  Basically created a VLAN called RED-VLAN. This VLAN is segregated and we can apply security access control.  Created a policy in ISE to push an Authorization profile that uses Airspace ACL which matches a Meraki Wireless Group Policy.  On the Meraki APs, created a group policy to change the VLAN tag to 88 (RED-VLAN).  Also configured the Access control settings on Meraki to respond to CoA from ISE.  This worked perfectly.  Client associated to the corporate SSID, then CoA occured and they were moved to VLAN88.  

Unless anyone else has any other alternative suggestions, I think I will run with this solution and present it the management.

Thanks again @balaji.bandi for pointing me in the right direction.

appreciate your input. since we do not know, your environment, so I have suggested a high level, good you picked up nicely and deploy. ISE is a very good place to the segment.

Thank you for marking it as a solution.

Hi Dinesh, thank you for your reply but we don't have any control over the third-party's ASA.  This is merely outbound VPN access to environment beyond our control.