Hi t,
Have you been able to analyze the traffic with HTTPWatch, Fiddler, or something of the like to verify that the STS is providing a cookie with the token to the client and the client is including the cookie when it connects to the service? Additionally, I would check:
* Verify the trust relationship between the IDP and RP;
* Reconfigure the RP to use SSL as well as the IDP & RP, (I think you mentioned it is listening on port 80). I know the RP and IDPs require SSL, not sure the target service does but worth a try.
* Check the persistence method on the Big-IP(s). If they are configured to use cookie persistence, try switching to another method, (source based perhaps) and test. The persistence cookie may be causing an conflict.
I have performed setups of ADFS servers, (both IDP and RP roles), as well as ADFS enabled web apps behind Big-IPs. I've used both SSL tunneling, (SSL pass-through) and SSL bridging, (SSL decryption and re-encrytion at the Big-IP) for both the connectin to the IDP/RP and web servers. However, I have not used SSL offloading, (decrypting SSL traffic and passing in to web servers on http.
If you are still having issues can you get a copy, (or screenshot) of the Big-IP virtual server configs?
Thanks,
Greg Coward