service: include --csd-wrapper script in openconnect arguments
This is needed to fully support the GlobalProtect protocol, as implemented in current
openconnect master. Ping @dwmw2.
At least one protocol (GlobalProtect) requires the security checker ("CSD") script to be invoked during the tunnel/connection phase, rather than the authentication phase, because the access-enabling mechanism depends on knowing the IP address(es) of the client in the internal network. See check_or_submit_hip_report() in cstp.c in OpenConnect.