The article explains how to exclude traffic (by IP address) from CDO managed tunnels.
The CDO automation creates an access-list and a route-map during tunnel creation, which is used to "permit" IP sources/destinations which are to be routed via the VPN. You can change the access-list through CDO under Policies > ASA Access Policies:
Clicking on the policy will show you the current access-list. On the right hand side you can see which ASA devices this object applies to:
Clicking "Edit Policy" and then using the "Edit Tools" menu allows you to edit the ACL. Traffic can be denied from the ACL to exclude specific sources and/or destinations from being routed via the tunnel.
In the example below, a specific source IP is excluded: