We see the WWW-Authenticate header from the APM, and the negotiate response including the kerberos ticket going back to the F5. And then the session fails. You can see an example of the HTTP head/reponses in my first post. It's from a different access policy, but using essentially the same APM config and Mac client.
Have you ever heard of Safari successfully participating in kerberos ticket exchange with the APM? Does the APM support using Safari? I don't want to spend forever digging deeply into this if it hasn't been proven to work.