Ah Ok, I checked our access.log and also ssl_access.log and there is nothing really that stands out even with the command you mentioned.
I do however see that most of the pluginfile.php GET requests are coming from the theme files.
We do not use HTTPs for everything, only logins since CAS requires it. Have you tried just using HTTPs from logins only?
We have just started using CAS behind a load balancer and have already started seeing some session issues with a valid session not being found thus making the user login again. Im not sure if its moodle or CAS but we are looking into it, our other applications do not have any session issues.
Which version of CAS? Is it the Jasig built release or a custom version from the original Yale CAS? We use 3.4.11 from the Jasig releases.