hi ,
you will need to add an additional branch in the AD Query [if user is member of group-1 AND group-2]
how the OTP will be generated ? you need to have 3rd-party application to generate OTP for AD users [like RSA or mi-token] then F5-APM will send the use's login details to the OTP 3rd-party server as RADIUS authentication [by replacing the raduis password by AD-user-attributes like mobile phone number] .
then the OTP server need to have SMS functionality to send the OTP to the SMS-server using HTTP Auth .
APM can't send the OTP to the SMS server , APM will pass the user-details from the login page to OTP server , OTP server will send the OTP to SMS-server .
APM will be able to send simple messages like successfully logged on or login-attempt-failure directly to the SMS server using HTTP Auth .