Below is the query
"(&(sAMAccountName=%{Authentication:Username})(objectClass=user)(!(memberOf=CN=Sales,DC=fishandreef,DC=com)))"
Let me walk you through the customer requirement once again
1) Customer had 2 authentication sources
a) AD
b) Token server
2) All of the users in a particular group (in this example, consider it to be "Sales") would be using token server (and token server was infact connected to the same AD)
3) So customer wanted that whenever there was a user connecting, and its group belongs to Sales, he should be authenticated via token server only.
4) Now the simplest way would be, to use token server as the first authentication source. But here is the thing. Token server was also connected back to the same AD. So in background, there was essentially just one authentication source. Also we couldnt play much with what we can do with token server, because customer was complaining that they were doing it seamlessly with ACS 4.2 for years, so CPPM should do as well).
Let me know if it works for you. Using the query format, you can exclude multiple groups of users also.