APM with OTP to identify 'trusted client'

yes you should be able to do that.

• you need in your VPE to create two irule_event agents.
• first one before logon page is triggering and event in irule looking for your cookie if cookie present and valid you branch to a logon page with just simple auth. to play with cookie in irule have look here :https://devcentral.f5.com/wiki/iRules.HTTP__cookie.ashx
• if cookie is not valid or not present you branch to the full otp process
• the way you create your branch could be by setting an apm session variable in the irule and checking the value in an empty box just after the irul_event agent. to set or read APM variable from irule have a look here : https://devcentral.f5.com/wiki/iRules.ACCESS__session.ashx
• the second irule_event in the VPE should happen after the successful full authentication process in this irule you craft your cookie.
• now the good question is what do i put in my cookie, i would say anything proper to the session with some variance, so you could try to hash username + apm session id with md5 irule command :https://devcentral.f5.com/wiki/iRules.md5.ashx
• once you have your hash you put in a irule tablehttps://devcentral.f5.com/wiki/iRules.table.ashx with a lifetime, and you compare in the first irule_event agent the cookie sent by user and the table content to find a match.

good luck !