APM portal mode and On Demand Certificate Authentication

That makes total sense Kris. Any time that you receive a client certificate, either via the client SSL profile or APM's On-Demand Cert Auth agent, you MUST provide a trusted certificate authorities cert/bundle. If you think about it, when the server sends its certificate to the client as part of the SSL handshake, the browser's CA trust list is used to validate that server certificate. If the cert subject name doesn't match the server name in the URL, the cert is expired, or the browser can't establish a trust path with any of the CA certs in its list, the user will get a certificate error. The same applies for the other end. When the client sends its certificate to the server, the server (BIG-IP) must validate it against an explicit CA trust chain - the CA bundle. Except in this case, if no trust path can be created, the SSL handshake fails. This is also a difference between Request and Require. With Request, validation can fail and the connection will continue. With Require, if the validation fails the connection is ended.