Adobe Connect SSO, convert from ACA to APM

Years ago, Adobe put out a guidance doc detailing a way to do SSO to Adobe Connect by reading X509 data, parsing for email, setting a cookie and passing info in HTTP header. Well, as of 12.1.2 HF1, this no longer works. So, hoping someone might want a challenge in trying to convert the old ACA iRule method to an APM method. My initial thought is to do an APM policy in VPE to first check 'On-Demand Cert Auth' then iRule Event to set UPN from X509 to a variable. Next an AD query to get the email address attribute that Adobe needs, iRule event to set that in the cookie and in the HTTP header. Below is what Adobe put out in the original ACA iRule. Any ideas on how to implement / update would be appreciated.

Tom

    when CLIENTSSL_CLIENTCERT {
    set certID [SSL::sessionid]
  set client_cert [SSL::cert 0]
  set urcertinfo [X509::extensions $client_cert]
  set theEmailEnd [getfield $urcertinfo "email:" 2]
  set theEmail [getfield  $theEmailEnd "," 1]
session add ssl [SSL::sessionid] $theEmail 28801
} 

 Start the if statements here
when HTTP_REQUEST { 
    set theStuff2 [session lookup ssl [SSL::sessionid]]
    set theEmail2 [lindex $theStuff2 0]
    if { [HTTP::cookie exists BREEZESESSION] } {
        set cookie_payload [HTTP::cookie value BREEZESESSION] 
    }
elseif { [HTTP::uri] contains "/system/login" }
{
    Connection has been redirected to the "login page"
     The email address has been parsed from the certificate
    
    HTTP::header insert hah_login $theEmail2
    }
elseif { [HTTP::uri] contains "session" }
{
    do nothing, Acrobat Connect Pro verifies the token 
     found in session=$token
    }
else {
    URI encode the current request, and pass it to
     the Acrobat Connect Prosystem login page because the client_addr
     does not have a session yet.
    HTTP::redirect https://[HTTP::host]/system/login/ok?next=[URI::encode https://[HTTP::host][HTTP::uri]]
    }
}