DoD CAC .mil 2 Factor Authentication to Web App through BigIP

Hello. We currently front end access to several COTS applications through BigIP (12.1.4). We have a new requirement to enforce 2FA using DoD issued CACs (smart card). We aren't doing any SSO with the COTS applications, and just want to validate the client cert through OSCP validation and PIN. Using APM, we've created a simple Policy to perform the OCSP validation. The problem we're seeing is when we access the external application URL front ended by the BigIP from our internal (.com) network, we are prompted for a CAC certificate, and when selected, are prompted for a PIN as expected. But when we access the URL from a .mil computer with an SDC image, it will not prompt for certificate or PIN and fails authentication. We've tried tweaking numerous settings in the the SSL profile, tried different certificate authentication methods through APM, and the behavior is consistently the same from a .mil network computer. Does anyone have any experience trying to get CAC authentication working on the BigIP and have any ideas what might be happening? Thanks for any help you can provide.