We are having the exact same issue. Did you ever find a solution?

Never got a solution other than a back and forth between Cisco and Apple. Both say it is the other ones issue.

AnyConnect 4.5 is a 32-bit app (or has mostly 32 bit components) and is not recommended anymore.

Even 4.6 and 4.7 use 32-bit hostscan binaries. 4.8 is all 64-bit.

Can you use the newer versions?

So, I figured it out. It's one of those if-you-use-this-specific-setup-it won't-work-kind of deals. When the user connects to VPN, web traffic should go to the PAC file URL defined in system preferences, but it does not. It appears that there is some kind of "PAC file cache" that gets refreshed when there is a change to a network adapter. Since AnyConnect does not use a network adapter, the refreshing doesn't take place. So what I have done is place a simple "OnConnect" shell script in the /opt/cisco/anyconnect/script folder that runs after the users connects. It bounces the network interfaces, which refreshes the PAC file info and everything works correctly.

@beejybone Can you share that script?

For this to work you have to follow AnyConnect's script rules. It has to be named OnConnect.sh (case-sensitive), has to be executable, and has to be in /opt/cisco/anyconnect/script. I believe you can also have the ASA distribute it, but I didn't have access to those boxes. There is also a 45 second delay to let the compliance module finish its process. If you don't use compliance module you could probably remove that line.

! /bin/sh -u

sleep 45
networksetup -listallnetworkservices | awk 'NR>1' | while read SERVICE ; do
if networksetup -getautoproxyurl "$SERVICE" | grep '^Enabled: Yes' >/dev/null; then
networksetup -setautoproxystate "$SERVICE" off
networksetup -setautoproxystate "$SERVICE" on
echo "$SERVICE" bounced.
fi
done