Kerberos Authentication with different UPN than Kerberos Realm

APM Kerberos SSO doesn't currently support Kerberos "canonical enterprise referrals", that is it can't chase a referral sent by the KDC for another realm. I'm assuming your "@nnn" is an alternate UPN suffix in the same domain, but this still requires canonical referrals. What you need to do to make this work is to specify the user's real name and real domain. And since the user's real userPrincipalName contains the alias realm, you have to send the sAMAccountName value instead. Your access policy might then look something like this:

start -> on demand cert auth -> ocsp auth -> LDAP query -> variable assign -> allow

where the LDAP query looks up the user's sAMAccountName value based on the userPrincipalName. The variable assign puts the returned username value into the right username session variable for the SSO profile. Example:

session.sso.token.last.username = return [mcget {session.ldap.last.attr.sAMAccountName}]

Or you can alternatively skip the variable assign and make session.ldap.last.attr.sAMAccountName the input username source variable within the SSO profile.

Add an iRule event agent to the visual policy right after the OCSP auth. Give it an ID of "CERTPROC". Add an iRule to fetch the certificate SAN UPN:

when ACCESS_POLICY_AGENT_EVENT {
    switch [ACCESS::policy agent_id] {
        "CERTPROC" {
            if { [ACCESS::session data get session.ssl.cert.x509extension] contains "othername:UPN<" } {
                ACCESS::session data set session.logon.last.username [findstr [ACCESS::session data get session.ssl.cert.x509extension] "othername:UPN<" 14 ">"]
            }
        }       
    }
}

Add an LDAP Query agent after the iRule event and use the following LDAP filter:

userPrincipalName = %{session.logon.last.username}

If the LDAP query succeeds, you should have a session.ldap.last.attr.sAMAccountName session variable with the user's SAM name.