I may be misunderstanding you, but why do you have to use names within your certs to activate your split tunnel? Why can't you define the group and create a split tunnel ACL within it on both ends to serve as the basis for split-tunneling?
access-list nonat permit ip <local ip><local sub> <remote ...
access-list nonat permit ip <local ip><local sub> <remote ...
[ more ]