This is really interesting, thanks for posting. The good news is that you can accomplish most all of this by simply forcing every request through an SSL enabled virtual server. You can force any non-https request to that VS address back over to the SSL enabled VS. Also, stream profiles can rewrite non-https references for you on the fly.
I'm not saying that this is a superfluous concept at all, but it seems that with an ADC you can actually enforce much of this behavior so you're ahead of the game before you've even started. As far as inserting the header, I agree that this looks totally possible.
-Matt