APM portal mode and On Demand Certificate Authentication

I'm using 11.4.1, in client ssl profile on client authentication I use ignore since On Demand Certificate Authentication is used in access policy. Configuration manual for APM indicates to set it on ignore for On Demand to work and it does work but not in portal access. I've tried with request, haven't tried with require, I can do that but that is not the behavior I am expecting. I would like for client to be able to see the logon page and only after he hits login the APM should ask for client certificate and to do SSL renegotiation and after that to pass the certificate details forward in the policy. If set to request or required the client certificate is asked as soon as the clients hits the logon page.

There is something different between the two modes because in portal access the session is maintained by the APM, I have session ID, I can do logout, etc, while just authenticating for LTM as soon as that is done session ID is no longer available, I cannot clear that session, traffic is offloaded to LTM. There must be something different on how APM handles the SSL renegotiation in portal access mode or full portal access.