In the past I've done a TMG to F5 BIG-IP migration and in this specific case both the LTM and APM modules where required. This TMG was used to deliver Microsoft Exchange, Microsoft SharePoint and a bunch of other applications. Typical functionality required in this case was Reverse Proxy, Load Balancing, Multi Factor Authentication, Step Up Authentication and Single Sign On.
There was no tool used to migrate these services. Just builded the BIG-IP configuration from scratch.
I guess for the firewall application one would also need AFM. There is quite a bit information on the internet available about TMG to F5 BIG-IP migrations. For example see:
https://www.f5.com/pdf/deployment-guides/f5-tmg-replacement-dg.pdf
http://interact.f5.com/rs/f5/images/Email%20%234%20Offer%203%20microsoft-forefront-tmg-dg.pdf