The connection context for the APM -> HTTP for AAA purposes is actually done between APM/APMD (v11/v12) and the AAA server, rather than Client -> HTTP. So I'm pretty sure the persistence record queried and/or created during the HTTP AAA operation would not match the LTM Client -> HTTP context.
This is closely related to bug ID 429418. Fixing that would require a major and risky architecture change. I think you'll have to do one of the following:
- Somehow allow the AAA operation to take place against the randomized pool.
- Use the HTTP AAA to authenticate the user, then toss the established backend session ID cookie (you'll have to use javascript and/or irules to accomplish this, as the cookies received by HTTP AAA are automatically stored and transmitted back to the client) and again SSO to the chosen server to obtain a new session after the initial APM session is established.
- Customize the APM logon page to provide a reasonable ux instead of using HTTP AAA (use AD or something), then SSO to the backend.
- Don't use a pool for the APM access.