BigIP as both a SAML IdP and SP, correct APM SSO config options

We have setup the BigIP as both an IdP and and multiple SPs. Its really neat that the BigIP can provide both roles, however, the documentation seems to be lacking the proper setup for the SSO tab for each of the APM security policies that are configured on the IdP and SPs respectively. For example:

 

IdP = https://auth.example.com/idp

 

SP1 = https://mail.example.com/sp

 

SP2 = https://confluence.example.com/sp

 

For each these above we have a unique APM security profile and the scope for each is set to "Profile" not "Global". So the question is what do we select in the "SSO / Auth domains" tab for each of these APM profiles?, the options are:

 

1. Domain Mode: single domain or multiple domain?

    

2. Domain Cookie: blank or example.com or the fqdn of the resource the APM profile is protecting.

    

3. Cookie options: we are selecting "Secure" check box

    

4. SSO configuration: blank or should it be the SSO configuration that was automatically created when we created our IdP?

    

Again, the documentation is not clear on what is correct for these settings and I hope a discussion of this will help those out there deploying this configuration!