Do your domains have a domain trust? I will assume yes, because if you didn't the UserDomain could not access the ResourceDomain.
So, If your domains are trusted, and authoritative for unique domain suffixes, then you can just make sure that DNS is properly configured in all domains, and allow LDAP forwarding to do its job.
Are you using Kerberos? You can enable DNS lookups for REALMS in the krb5.conf file on the BIG-IP to help. You can also hard code the KDC for the REALMS you know you need to support. You can also use an irule to determine which REALM users are in and modify as needed. This will make sure that when the request comes in to the KDC, it knows which KDC to send the request to for that specific REALM.
For example:
switch [ACCESS::policy agent_id] {
"DOMAIN1" {
ACCESS::session data set session.logon.last.domain "F5LAB.LOCAL"
}
"DOMAIN2" {
ACCESS::session data set session.logon.last.domain "MSDOMAIN.LOCAL"
}
}