Nope, that’s not possible. In many environments different hosts within a single domain are under the administrative control of totally different people or entities and we don’t currently have a way to confirm whether this is a case for a given domain or not. Sorry for the inconvenience!
You can take a look at threads talking about DNS validation challenges which would allow you to prove control of particular names by updating their DNS records rather than by making configuration changes on the associated hosts. Although this isn’t deployed yet, when it becomes available, it might be more convenient for your use case.
It should be possible. You could set up reverse proxies (using nginx for example) on cas2.domain.com and domain.com to forward requests for /.well-known/.acme-challenge to the filter.domain.com server.
Although if you use the names on separate hosts, what’s the benefit of a single SAN certificate over separate certificates?
You should be able to redirect http://domain.com/.well-known/acme-challenge/* and http://cas2.domain.com/.well-known/acme-challenge/* to filter.domain.com and provide the challenge there for verification.