Implementing a per-user rate limiting is difficult, because the common ways to identify a user (cookie, IP address) can be defeated by an attacker.
A simplistic yet efficient approach could be
sleep(2);
before you return the result of the token check. Such a small delay is acceptable for a legitimate user but will slow down a brute-forcing attacker.
In the case of a password reset token that is generated by the system, making it long enough should not be a problem though. Given enough entropy, rate limiting should not be required to make an attack unfeasible.
As a general guideline about passwords and account security I recommend reading The definitive guide to form-based website authentication (which is not CakePHP specific, though).