It is not CCA secure because an adversary with access to a decryption oracle may get the key that was used to encrypt a challenge ciphertext via the method I’ve described.
In the CCA experiment, the oracle uses the same key as the challenge ciphertext.
It isn’t secure against the attack because the oracle uses the same key.
The oracle is a tool used to formalize our definition. You’re right that the fact that OTP isn’t CCA secure doesn’t matter in practice because the key is only used for one message so such an oracle doesn’t generally exist.
In the CCA experiment, the oracle uses the same key as the challenge ciphertext.