I had to scrap the project before finding a solution.
I think if you can write a custom script and call it from within PacketFence or by way of FreeRadius proxy, you could sidestep the CoA issue. I was thinking the script would log into the controller(s) and run "aaa user delete mac xx:xx:xx:xx:xx:xx" w/the user's MAC.
Not pretty, but could work. I did something similar w/MAC-auth-fail-open to get usernames populated into my controller from a netreg box.