Hi MHM Cisco World,

Thank you for your answer. I will try to explain my situation:

I have added these configuration changes to make it work;

webvpn
anyconnect-custom-attr dynamic-split-include-domains description Dynamic Split Tunneling
!
anyconnect-custom-data dynamic-split-include-domains exampledomain www.exampledomain.com
!
group-policy EMPLOYEE attributes
anyconnect-custom dynamic-split-include-domains value exampledomain

And it works as expected. However it isn't according our current preferred design. It is preferred not to have these lines of configuration on the ASA's. The preferred situation is to let ISE add them as an attribute when the user logs in. 
We already use split tunneling based on ip by using an access-list and the attributes are pushed by ISE to the ASA's so we dont need those config lines on the ASA's.

Here's the ISE authorization profile for the split tunneling based on ip adress currently in use:

IMO these are two completely different concepts. DACLs control what traffic is allowed to your corporate network over the tunnel, while dynamic split tunneling and static split tunneling control what traffic is sent in clear to the Internet by the client. Hence you don't need to keep them in sync. For example, static split-include list can be configured to send 10/8 over the tunnel, but DACL can impose more strict restrictions on the traffic.

When it comes to original question, AnyConnect customer attributes (e.g. dynamic-split-exclude-domains) cannot be pushed from RADIUS server.

As far as I understand, the DACL (Downloadable Access Control List) is a crucial component pushed from Cisco ISE to the ASA. It dynamically appears on the Cisco ASA and is specifically assigned to AnyConnect users:

Meanwhile, the access list configured on the Cisco ASA and assigned to a user's tunnel settings comprises a list of routes applied on the VPN user's machine. It is called as SPLIT-TUNNELING acl.

Ensuring alignment between these two is vital. If the DACL from Cisco ISE doesn't include the new IP address after a dynamic tunnel IP change, the ASA might drop the traffic.

Certainly, you could opt for a "permit any any" setup on Cisco ISE and regulate user access solely via routes (from split-tunneling). In such cases, syncing split-tunneling and ACL might not be necessary.

However, a potential issue arises if a user manually adds additional routes on their machine while connected to the VPN, aiming to access resources over the VPN. This could conflict with the established routing policies and potentially lead to a security breach.

Nope. This is the other way around. You should never use "permit ip any any" DACL and instead should configure as strict DACL on ISE as possible. In this case users would never be able to circumvent your security policy. The static split-include ACL configured on the ASA and pushed down to the client can be relaxed, e.g. 10/8, etc. Hence it need not be in sync with DACL. The dynamic split ACL is typically deployed in a "dynamic split-exclude" form, to send traffic to specific FQDNs to the Internet in clear. Obviously, if it is configured like this, it relates to DACL as an apple to oranges.

First of all we use split-tunneling for only corporate or vendor internet sites. So we dont VPN ALL traffic thru corporate Cisco ASA. And that is fair as we have BYOD policy and client may have other applications which consume internet traffic and we dont want route it thru corporate network. So Split-Tunneling has to sync with DACL from Cisco ISE.

If we don't use "permit ip any any" in CIsco ISE then the Dynamic Split-Tunneling won't work. As if IP of domain changes a new route appears on client's machine but it won't go thru Cisco ASA as ASA drops it by the filter applied from CIsco ISE (DACL) which doesn't have a new IP.

   Filter Name : #ACSACL#-IP-DACL_xxx-xxx   <- comes from Cisco ISE