F5 Dynamic ACL format for AD based attribute

I have reviewed the dynamic acl documentation at: https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-implementations-11-5-0/2.html

However, acls are not working as I expect them to. Is there a way to debug how APM is parsing the ACLs being returned from LDAP? I can see messages in the debug mode but the page is not producing an ACL deny message:

Sep  2 13:09:00 TST-VE-BIGIP debug apd[11021]: 01490000:7: modules/ResourceAssignment/DynamicAcl/DynamicAclAgent.cpp func: "DynamicAclAgentexecuteInstance()" line: 484 Msg: agent_dynamic_acl source session.ad.last.attr.extensionAttribute5: deny https any 10.0.0.0/8 *://*/app1/Engine

On the frontend the url is HTTPS, but on the backend it is HTTP over port 443. What I am not certain about is what the target URLs should match. I have implemented this ACL via a statically defined ACL within APM, however I want to evaluate centralizing our ACLs within the LDAP directory where account management and access control occurs.

Thank-You.