I think we found a workaround, but have not had time to test it yet.
BIGIP will use cookies to manage the client session, storing the username and a timeout value.
When a request comes in with a valid session (not timed out), the request is passed through to the server. If the request has an invalid session (timed out cookie), the LTM will extract the magic string from the request (another system generates the request from data in the DB) and pass it to a new java app to verify, instead of requesting the original page.
The new java app will take the passed string and query the DB, then place the Authenticated/Not Authenticated response in the reply.
The LTM will examine the reply content and look for the Auth/No Auth codes, then either redirect to an error page or set the username/timeout cookies and redirect the user to the original page they requested.
Any thoughts?