When calling the CAS login URL you need to provide the URL where to you want to return to as a parameter. The parameter is also the name of the resource that you want to protect.
https://my.domain.com/cas/login?service=https://my.protected-service.com/path/to/page/
In order to make the ticket valid for all resources on my.protected-service.com you need to widen the scope of the ticket by setting the CAS scope to my.protected-service.com/
However, I don't know how to achieve that with your setup.