A lot of the apps I write at work are nearly 100% JS (using ExtJS 4.2), so any request I make to the server is via AJAX. Because of this, I tend to do most data-specific validation (outside of HTML5-ish validation) with ColdBox alone, and update the client validation “state” based on the response from the server.
So for example, when a form is submitted, the request is handled by ColdBox, my entities are populated (using ORM), and then validated using CB validation. If validation fails, the response back to the JS app includes the errors, as well as the fields which produced the errors. I then have a global function that sits on top of all AJAX responses that is able to take the returned errors and apply “state” to the fields in the currently active form, such as warning messages, red outlining, tooltips, etc.
While it’s not bullet-proof (some client-side-specific validation is necessary for certain scenarios), one reason I like this approach is that I can keep validation centralized, and not have to worry about needing to make updates in multiple places as the application inevitably expands.