CORS access to XSODATA services will not be supported until SPS6. Then we extend the .xsaccess file to allow adding the CORS allow headers to child services.
Until then, you best option is probably to run the sencha website from HANA as well. Assuming your UI is completely client side you just load the HTML/JavaScript for Sencha and your application UI into the HANA repository and run it from there instead of Tomcat.