Calls CLIENTSSL_CLIENTCERT but not HTTP_REQUEST

I'm trying to get information from a SSL Client Certificate and pass it to the backend servers via HTTP headers. We're basically following the example posted here: http://devcentral.f5.com/wiki/default.aspx/iRules/InsertCertInServerHeaders.html.

That is, in CLIENTSSL_CLIENTCERT event handler, we get the certificate and tuck it away in the session. Then in the HTTP_REQUEST handler we read it from the session, and insert into the HTTP header.

But we find that although it hits the CLIENTSSL_CLIENTCERT it doesn't even go into the HTTP_REQUEST handler. Any ideas on why HTTP_REQUEST handler is not being called? Must be something really simple that we're doing wrong. Greatly appreciate any help on this!

when CLIENT_ACCEPTED {
    log LOCAL0.warn "==> Client Accepted"
}
when CLIENTSSL_HANDSHAKE {
    log LOCAL0.warn "==> Certificate Count = [SSL::cert count]"
}
when CLIENTSSL_CLIENTCERT {
    log LOCAL0.warn "==> Certificate = [SSL::cert 0]"
    log LOCAL0.warn "==> SSL Session Id = [SSL::sessionid]"   
    session add ssl [SSL::sessionid] [SSL::cert 0]
}
when HTTP_REQUEST {
    log LOCAL0.warn "==> HTTP_REQUEST"
    log LOCAL0.warn "==> SSL Session Id = [SSL::sessionid]"
    set cert [session lookup ssl [SSL::sessionid]]
    log LOCAL0.warn "==> Certificate = $cert"
}

This script was applied to a profile called certtest (whose base is the clientssl profile).

Logs when profile is set to "Require":

It enters CLIENTSSL_CLIENTCERT as expected and prints the certificate and session id, but does not enter HTTP_REQUEST:

Wed Apr 18 15:30:21 EDT 2007 tmm tmm[25207] Rule certtest CLIENT_ACCEPTED: == Client Accepted

Wed Apr 18 15:30:24 EDT 2007 tmm tmm[25207] Rule certtest CLIENT_ACCEPTED: == Client Accepted

Wed Apr 18 15:30:27 EDT 2007 tmm tmm[25207] Rule certtest CLIENTSSL_CLIENTCERT: == Certificate = (....)

Wed Apr 18 15:30:27 EDT 2007 tmm tmm[25207] Rule certtest CLIENTSSL_CLIENTCERT: == SSL Session Id = (....)

Wed Apr 18 15:30:27 EDT 2007 tmm tmm[25207] Rule certtest CLIENT_ACCEPTED: == Client Accepted

Wed Apr 18 15:30:29 EDT 2007 tmm tmm[25207] Rule certtest CLIENTSSL_CLIENTCERT: == Certificate = (....)

Wed Apr 18 15:30:29 EDT 2007 tmm tmm[25207] Rule certtest CLIENTSSL_CLIENTCERT: == SSL Session Id = (....)

Wed Apr 18 15:30:29 EDT 2007 tmm tmm[25207] Rule certtest CLIENT_ACCEPTED: == Client Accepted

Wed Apr 18 15:30:31 EDT 2007 tmm tmm[25207] Rule certtest CLIENTSSL_CLIENTCERT: == Certificate = (....)

Wed Apr 18 15:30:31 EDT 2007 tmm tmm[25207] Rule certtest CLIENTSSL_CLIENTCERT: == SSL Session Id = (....)

Logs when profile is set to "None":

It doesn't enter the CLIENTSSL_CLIENTCERT (as expected), and but does enter HTTP_REQUEST.

Wed Apr 18 15:21:27 EDT 2007 tmm tmm[25207] Rule certtest CLIENT_ACCEPTED: == Client Accepted

Wed Apr 18 15:21:27 EDT 2007 tmm tmm[25207] Rule certtest CLIENTSSL_HANDSHAKE: == Certificate Count = 0

Wed Apr 18 15:21:30 EDT 2007 tmm tmm[25207] Rule certtest CLIENT_ACCEPTED: == Client Accepted

Wed Apr 18 15:21:33 EDT 2007 tmm tmm[25207] Rule certtest CLIENTSSL_HANDSHAKE: == Certificate Count = 0

Wed Apr 18 15:21:33 EDT 2007 tmm tmm[25207] Rule certtest CLIENT_ACCEPTED: == Client Accepted

Wed Apr 18 15:21:33 EDT 2007 tmm tmm[25207] Rule certtest CLIENTSSL_HANDSHAKE: == Certificate Count = 0

Wed Apr 18 15:21:33 EDT 2007 tmm tmm[25207] Rule certtest HTTP_REQUEST: == HTTP_REQUEST

Wed Apr 18 15:21:33 EDT 2007 tmm tmm[25207] Rule certtest HTTP_REQUEST: == SSL Session Id = (....)

Wed Apr 18 15:21:33 EDT 2007 tmm tmm[25207] Rule certtest HTTP_REQUEST: == Certificate =