The CAS protocol supports Single Logout with a separate /logout endpoint. This requires some support on the application to effectively end the session.
We could probably set up daily regression tests which log in and log out into registered services (to e.g. prevent that e.g. the logout functionality breaks when we upgrade to let's day a new version of an application).