Adding APM to an application with existing X.509 client authentication

Your gut is correct. There is indeed an SSL man-in-the-middle capability called "ProxySSL", but a) it requires a copy of the server's private key, and b) does not generally work with APM. ProxySSL silently listens to the client-server SSL handshake, decrypts the premaster secret sent by the client and encrypted with the server's public key, and then derives the same session encryption key. It uses this key to then silently decrypt and re-encrypt the bulk encryption after the SSL handshake. One of the biggest implications of this process is that you cannot interrupt the client-server handshake dialog. You can't load balance to different pool members, and you can't insert any preemptive actions, like APM message boxes or logon pages. You could technically run APM in clientless-mode, which disables the initial redirect and preemptive controls, but then you'd also mostly negate APM's functionality.