I would like to add that Access Policy Manager makes this RIDICULOUSLY easy to accomplish - just add a message box object in the visual policy and edit its HTML under advanced customization. Working with pure iRules is a little trickier because you essentially need to track the state of the session so that you're not presenting the banner page in the middle of the application session (APM takes care of this part for you). You necessarily need some persistent token that identifies that the browser has already seen (and acknowledged) the banner.
That said, there are a bunch of ways to pull this off, all depending on the app:
1. Cookie insertion on first request (a dummy request) that sets the cookie and shows the banner.
2. A session table entry mapped to the client IP (if IP addresses are consistent).
3. Setting the application's start page to a (fake) URI that tells the iRule to display the banner and then forward to the real start page.
4. Some combination of all of these (1 and 3 specifically).