You technically just need 11.4 and above to make this work. Your ingress TCP wildcard VIP should have absolutely nothing applied (assuming you're not decrypting and re-encrypting):
- Type: Standard
- Destination address/Mask: 0.0.0.0/0
- Service Port: 443 (or * All ports)
- Protocol: TCP
- VLAN and Tunnel Traffic: enabled on the same tunnel that you used in the http-explicit profile
- Source Address Translation: SNAT as required
- Address Translation: unchecked
- Port Translation: unchecked
- Default Pool: your gateway pool
Notice that there's no HTTP or SSL profiles attached to this VIP.