Strictly speaking, the HSTS header is irrelevant if the site doesn't have a corresponding "http" version. I've just now tested this scenario though, and it occurs as you describe. Interestingly, the other pages (my.policy page, etc) do honor the settings from the HTTP profile.
If you need to get around this for paperwork purposes, the following irule will get the header in there:
workaround for F5 bug ID 565554
when CLIENT_ACCEPTED {
ACCESS::restrict_irule_events disable
}
when HTTP_RESPONSE_RELEASE {
if { [HTTP::header Location] eq "/my.policy" } {
HTTP::header replace "Strict-Transport-Security" "max-age=16070400 ; includeSubDomains"
}
}