Ok So I read deeper into the posts and spent some time testing things out over the weekend. Moving the VPN rules outside of the CAG has made the difference. I am moving on to testing the functionality of the CAGs themselves to see if there behavior is correct. Also not too far off I am installing an Agent Handler in the DMZ specially to manage the sale force mobile devices that are always connecting through different hotspots.
In my experience, firewall rules to allow VPN traffic should be toward the top of the policy above any other CAGs (especially if you have Connection Isolation enabled in the CAG). This is to ensure that VPN traffic is always allowed on all network adapters at all times.