It is my understanding that the IP address of the client must change when it moves from auth to access.
It is still OOB because traffic only goes through the CAS during authentication/remediation. Because there are no VLAN mappings it is not VGW.
Typically the CAS is at a core location, and you use policy routing or ACLs to separate auth traffic from access (though i prefer VRF) to "pipe" auth traffic back to the CAS.
Once auth is successful, the CAM switches the port to the access vlan.