1) introduced a mechanism to call a plugin after the specified plugin(s)
Sample config entry:

dn: cn=Class of Service,cn=plugins,cn=config
[...]
nsslapd-plugin-depends-on-call: referential integrity postoperation
[...]

Having "nsslapd-plugin-depends-on-call: referential integrity postoperation", CoS plugin is guaranteed to be called after the "referential integrity postoperation".

Note: even if CoS is called after Referential Integrity Plugin, the CoS cache may not be updated. (see the next attachment)

2) Thus, to keep the entries affected by the Referential Integrity Plugin, I introduced a pblock field pb_ref_op_entries and the flag SLAPI_ENTRY_REF_OPS. And CoS checks the entries in cos_cache_change_notify.

Here's the test result:
First, both CoS template and the CoS entry have 2 unique members:

$ ./ldapsearch -D "cn=Directory Manager" -w passwd -b "ou=PosixGroups,dc=example,dc=com" "(uniqueMember=*)"
version: 1
dn: cn=uids,ou=PosixGroups,dc=example,dc=com
cosPriority: 1
cn: uids
objectClass: top
objectClass: costemplate
objectClass: extensibleobject
uniqueMember: uid=haizaar,ou=people,dc=example,dc=com
uniqueMember: uid=gilran,ou=people,dc=example,dc=com

dn: cn=testgroup,ou=PosixGroups,dc=example,dc=com
gidNumber: 503
objectClass: top
objectClass: posixgroup
objectClass: groupofuniquenames
cn: testgroup
uniqueMember: uid=gilran,ou=people,dc=example,dc=com
uniqueMember: uid=haizaar,ou=people,dc=example,dc=com

Delete one of them:

./ldapdelete -D "cn=Directory Manager" -w passwd
uid=haizaar,ou=people,dc=example,dc=com

The deleted entry's dn is removed from both CoS template and the testgroup entry:

./ldapsearch -D "cn=Directory Manager" -w passwd -b "ou=PosixGroups,dc=example,dc=com" "(uniqueMember=*)"
version: 1
dn: cn=uids,ou=PosixGroups,dc=example,dc=com
cosPriority: 1
cn: uids
objectClass: top
objectClass: costemplate
objectClass: extensibleobject
uniqueMember: uid=gilran,ou=people,dc=example,dc=com

dn: cn=testgroup,ou=PosixGroups,dc=example,dc=com
gidNumber: 503
objectClass: top
objectClass: posixgroup
objectClass: groupofuniquenames
cn: testgroup
uniqueMember: uid=gilran,ou=people,dc=example,dc=com

Note: before the bug fix, the deleted dn was removed from the CoS template, but NOT from the testgroup entry.