first of all if you plan this for like 5.000 till 10.000 users you might look into getting an F5 partner who can help you out with this. doing this on yourself for the first time might be quite a challenge and lead to suboptimal results.
as for your questions:
1) sure, you can add them in your AD (wouldn't be my first choice for webpage auth) and auth against that AD. for a cluster you can add several AAA server in the APM. in general no specific config on the AD is needed.
2) if you are going to do authentication with a logon page where the user has to enter its username and password. and after authentication allow access to your web application then the client / browser needs nothing special
3) you don't buy SSL certificates based on concurrent users. you just buy one for a number of years. and yes you want to do this because else your users will get a nasty warning message.
the APM itself is licensed on concurrent users so be sure to think about this well and choose the correct appliance.