Agreed. /32 is the safest way to go, and generally will fix any oneconnect issues that you may run into. Obviously, you'll not get the killer gains from a more wide open mask, but /32 generally gives you much of the benefit without the risks. It's also worth noting that oneconnect can actually help fix certain situations. For example, JSESSIONID persistence often (always?) won't work the way you expect without a oneconnect profile on the VIP. The same goes for plain old cookie insert in certain proxy environments.
-Matt