APM OCSP Responder to check client (stunnel) certificate

Technically speaking, APM AAA is designed for HTTP. The session is maintained by a cookie and the redirect is used to start (and end) the policy evaluation. You can get rid of the redirect with clientless-mode, but you still need the session cookie for subsequent requests. There are, interestingly enough, a few alternatives. First take a look at the following:

https://devcentral.f5.com/wiki/iRules.Query-LDAP-From-An-iRule-And-Or-Use-APM-With-Non-HTTP-Services.ashx

The idea is that you have an LTM VIP, your stunnel virtual. When a client makes a new connection to the VIP and passes the client certificate, you initiate a sideband connection to an APM VIP (in clientless-mode), passing the client certificate in an HTTP header (encoded for transport). The APM VIP consumes the certificate, does the OCSP, and then responds with a "good" or "bad" to the calling sideband. The LTM VIP then simply continues the Stunnel connection or drops it. If there was something in the Stunnel traffic that you could use for persistence, then you'd be able to control how often this process fires. The above example is wildly more complicated than what you'd need, in my opinion, but a good place to start.