CORS - Pre Flight vs ASM & APM

I think it seems like you have a complex setup involving multiple Virtual Servers (VS) and the use of irules for handling CORS requests and OAuth authentication. You've described issues with CORS preflight requests, OAuth token refreshing, and unexpected behavior with certain URLs.  Use tools like browser developer tools, Fiddler, or Wireshark to inspect the HTTP headers exchanged during the CORS preflight requests, OAuth token refreshing, and other interactions. This can help you identify any unexpected headers or missing configurations. Create controlled test scenarios where you isolate specific components of your setup. For example, test the CORS preflight requests separately from the OAuth token refreshing to identify which step is causing the unexpected behavior.