APM for banner and cert

When implementing the "require" parameter in ClientSSL profiles, a significant limitation exists: connections with missing or invalid certificates are terminated immediately without providing any diagnostic information or user feedback. This creates a poor user experience and complicates troubleshooting. 
A more effective approach is to maintain the "require" parameter in your ClientSSL profile and use "On-Demand Cert Auth" instead of "Client Cert Inspection" within your APM policy.
This configuration allows certificate validation failures to be handled gracefully within the APM policy, enabling customized user feedback and remediation paths.

While Message Box would do the job , if you are familiar with JS, consider using the Advanced Customization feature in your APM policy to create the banner.

You'll want the following APM objects in your policy:

1) Message Box: (for the advisory banner)

2) Client Cert Inspection: (note that in the LTM clientssl profile you will need to set the client authentication method to require. This will prompt the user to provide their cert at connection to the VS) Client SSL Authentication on BIG-IP as in-depth as it can go | DevCentral

3) I recommend an OCSP responder check here to verify the cert is valid but that is up to you..

4) To extract the the UPN from cert there's two ways to go about this. The following article should help: How to Extract the UPN from a Digital Certificate on a CAC card using F5 APM | DevCentral 

5) After that, you will need an LDAP Query object with the search filter utilizing the variable to which you assigned the extracted UPN. 

Hope this helps.