I know this is an 'older' question, but I am getting into the possibility that I too will be working with CEF data. II take it that what you refer to as the "tokened fields" that you mean the "cs#=" and the "cs#label=" fields that are in the "Extension" portion of the messages.
I have not seen anything that indicates there is a way for Splunk to auto-ingest/field extract CEF data. You will likely need to create a transforms to do that and the RegEx should be fairly straight forward for that.
More importantly, I am not sure you'd want to extract these fields at index time; the savings you'd get at search time with this is not likely to be worth the performance impact on index processing to do the extraction and indexing together. I suggest you keep to search time field extractions.