Two ideas:
1) You can create a configuration profile with VPN on demand. However, this requires client certificate authentication. I assume that if any application tries to access the domains or hosts defined in the VPN section on demand in sleep mode, the VPN will be turned on.
Update . At some point, Apple was brought to justice by VPN on demand, so I believe that they abandoned this feature even after they brought it back. It is a good idea to read this article for iOS 7: http://support.apple.com/kb/ts4550
2) The idea I suggested for this question ( iOS6, switch WiFi to non-jailbroken device ). Here is a copy of the text from there:
I think it makes sense to look at SystemConfiguration.framework.
It has a set of APIs for working with various connection interfaces that are defined here: http://developer.apple.com/library/mac/#documentation/Networking/Reference/SCNetworkConfiguration/Reference/reference.html
This is a private API.
Update . I believe that some changes have occurred in SystemConfiguration, and Apple has simplified security in this structure.
3) Apple may grant some applications additional rights, so they can create functionality that no other application can create. As an example, clients of VPN clients (such as Cisco) have received special rights to create what iOS calls βVPN plugins,β which are essentially VPN clients.