Hi NiHo,
I'm currently working on a similar setup and I'm using the table command to get it working (I'm using 10.2.4 in my setup).
My APM policy is doing a LDAP query and I'm using two attributes, one for redirecting the user to the correct start-URI and the other to dynamically choose the correct pool and poolmember. I've learned that the "ACCESS_POLICY_AGENT_EVENT" is triggered only once, but for pool assignment or redirects the "HTTP_REQUEST"-event is required, which fires much more (and also before the "ACCESS_POLICY_AGENT_EVENT").
Therefor at the end of the "ACCESS_POLICY_AGENT_EVENT" I created some session variable with the table command (specifying the same timeout as the APM policy has, 900 by default). In the "HTTP_REQUEST"-event I verify with the table lookup command if the session variable is already set (which also extends the timeout as long as the user is active). And for the logout, which will be triggered with a specific URI in my setup, I delete all the session variables again.
I hope this will point you in the right direction.
Ciao Stefan :)