The C++ Authentication API allows a return code of Sm_AuthApi_SuccessUserFilter, which I am pretty sure will do what you want.
The following information is from the 12.5 Programming guide for C, but seems to be missing from later versions of the doc:
Sm_AuthApi_SuccessUserFilter
SiteMinder disambiguates the user based upon a standard LDAP search filter that the authentication scheme constructs and passes in lpszParam. When SiteMinder is passed this return code, it ignores the Start and End field values configured for the user directory.
While the above documentation is a little better than nothing, it doesn't provide enough information to allow someone to actually program against it. What I suspect is that you can construct an LDAP search expression and return it in the lspzUserMsg output buffer.
Unfortunately, I don't see any reference to any return status resembling Sm_AuthApi_SuccessUserFilter in the Javadoc for the authentication API, nor do I see it in the SmAuthStatus data type when viewing it in my IDE.
You could try opening a tech support case and asking if there is an equivalent in JAVA to Sm_AuthApi_SuccessUserFilter. If there isn't then you would have to write a C function and then create a JNI wrapper for it.
What GD has been doing for years (since long before Sm_AuthApi_SuccessUserFilter was introduced) is using the Policy Management API Sm_PolicyApi_LookupDirectoryEntry() method, but that is pretty complex to use, and again is only available in C (we have a JNI wrapper for it).
Unfortunately, I don't know of any relatively easy way of doing ldap searches from within an auth scheme. All the mechanisms available are somewhat painful. Unless you have some C/C++ skills and know how to use JNI, creating your own pool of LDAP connections to the user store is probably your best bet; unless you have enough clout to get CA Engineering to make an equivalent of Sm_AuthApi_SuccessUserFilter functionality available in Java in the near future.
Rick