Well, I've never gone up against urlscan before but I just beat F5's ASM XSS filter for the first time, so maybe some of the same tricks will work.
Some of the things I used were:
1. I ditched using <script> because I couldn't get it passed. Instead used<image>. Notice it's not <img>. The WAF would filter <img> tags but not <image> and Firefox would display <image> just fine.
Try iframe, style, and object tags too.
2. Split up the attack between parameters if possible. Break it at key points where the WAF won't be able to understand what's going on.
4. I also ran across spots where the letters "http" were filtered. Here you can usually drop the http: and just use //server/evilcode.php.
I don't know if any of that will be any help at all, and may be completely irrelevant to urlscan, but those are some of the things I've learned with evasion and hopefully some of it carries over.