We are having the same issue, at this time we have two virtual servers in a layered fashion and one of them is just for adding headers in the response.
Our approach is now using Open-id, so we are seeing that F5 does not add the headers at their own responses in the oauth URLs, EJ. {fqdn}/.well-known/openid-configuration
At this time, the solution for me is changing in someway the f5 internal server (apache) to add CORS response headers at any of the responses, but I don't know how, yet.
By th way, the iRule in this case, where we are using Open-id, will not work because the HTTP::Response will trigger only if the traffic comes from the server side. In this case, the Open-id portal and Oauth services run only in the client side.