For anyone that does come across this post looking for the solution unfortunately it appears that cisco have not addressed this and has been around since 2007 ish. Seems like a fundamental flaw in dap (especially as it them appears to always select the default grp policy so you cannot even select a different group policy based on the dap results - unless anyone can correct me here)
https://supportforums.cisco.com/discussion/11202696/split-tunneling-based-dynamic-access-policy?tstart=2640
https://tools.cisco.com/bugsearch/bug/CSCsi54718