Could be wrong, but not sure reCAPTCHA fits the described scenario. There are actually a few options:
1. APM multi-domain authentication - you mentioned a "kerb token", so not sure if the Access Policy Manager module is an option for you. If it is, there's a native SSO mechanism for that. It essentially requires TWO virtual servers: the application VIP and the logon VIP. The user makes a request at the application VIP, is immediately redirected to the logon VIP for authentication, and then gets sent back to the application VIP after successful logon.
2. APM SAML - another APM option that requires TWO virtual servers. This one is a little more complex than the first, but WAY cooler because the IdP (identity provider - logon VIP) doesn't have to be on the same hardware and can be on any SAML 2.0 compliant product (not just another APM).
3. iRules - I assume you posted in this particular forum because you were looking for an iRules-based solution, and it is possible, but far more laborious than the first two options. You would essentially need: a) a controlled logon page and an authentication method, b) an iRule-driven session token, and c) the logic required to redirect to/from the logon page based on the presence of the session token.