Thanks for the comment rob_carr. Unfortunately, this wasn't documented so well. The cause of my issue was due to non-browser user agents which were being requested for authentication by APM. Since I can define known IP's I was able to disable access for these user agents using the following iRule.
when HTTP_REQUEST {
if { [string tolower [HTTP::header "User-Agent"]] == "ms-rdgateway/1.0" || [string tolower [HTTP::header "User-Agent"]] == "kerberos/1.0" } {
HTTP::header insert "clientless-mode" 1
ACCESS::disable
}
else {
ACCESS::enable
}
}