Thanks Aaron. I think I'll be able to work with what you've given me. Oddly, our intentions are quite different than what you expected. We have a "portal" product that we secure with client cert authentication and ocsp. Some of the resources within the portal are not "portalized", meaning they aren't rendered from within the portal. The user must request the objects on their own. In an attempt to keep the user from having to re-authenticate their client certificate, as is policy for every web application, we need to turn off client certificate request. In doing so though, we need to make sure that the client is already authenticated at the main site. So the idea is to create a session cookie at the portal with the given domain. When the user receives a redirect for content on another host, the BigIP needs to make sure that a session cookie exists from the portal. If it doesn't, then redirect the user to the main portal login page. It is then important to know whether VIPs can share session cookies, which you've verified. The question of where the session cookie lives is of greatest importance to our IA group. Although session cookies should go away when the browser is closed, the data may actually remain in memory until written over. I know this sounds paranoid, but we may still need to insert some encrypted TTL data into the cookie so that it actually expires.
Thanks again.
Kevin Stewart