I had a battle with F5 support team. If you are interested in it, you can read my blog
http://nano-art.blogspot.co.uk/2013/05/saml-authentication-on-f5-big-ip-part-1.html
(1-4)
After a deep digging, I myself finally figured out the root cause, IDP returned a SAML response which the signature was on response part, but F5 expected a response which signature is on assertion part (WantAssertionsSigned="true").
F5 error message "Digest of SignedInfo mismatch" was not very helpful in my case. Once I had a insight on SAML (actually the hardest part is XML signature), I told myself what joke it was, as we can easily tell the signature is on response part or assertion part from Reference URI in SAML response content.