Deploy APM per-request policy and Application Traffic Insight(former Device ID+)

You to instert the javascript for Shape bot security on the APM?

Also from what I read the per request policy should use the same logon page. When you customize the logon page and test triggering it with per request policy do you see difference in the two logon pages. If you see then maybe the F5 TAC is needed.

https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-access-policy-manager-visual-policy-editor/access-policy-item-reference/about-logon-items/about-logon-page.html

https://www.f5.com/es_es/products/security/application-traffic-insight