Hi Kevin.
You definitely have a complex setup, but it also shows off the power of the BIG-IP to enable solutions to these complex problems. I think I understand your setup, but the problem may be in a few different places, it's hard to say without more information.
On first glance, it feels to me that when you rewrite the traffic to /bc/etc, that perhaps the cookie is being lost and/or not forwarded. I'm assuming here that SSO works between ESS and ITS and that the cookie being used is valid for both "domains". For example, the cookie being set should be broad enough so that it's being sent and interpreted by the server correctly. So, that could be problem 1 or problem 2. Specifically, that 1, it's not being sent in the context of /bc/etc or problem 2, that the rewrite is not sending it along.
I'm making another big assumption here that you are using an SSO mechanism that relies on cookies. Something like CA Siteminder, or something along that vein.
You mention the SSL certification as well. If you are terminating SSL on the F5, then you must already have some certificate there, either from the BIG-IP's self-signed "store" or perhaps you have already imported the ESS server's SSL cert. In either case, if you are not getting browser errors when you browse to https://ess.ourplace.com then your cert is probably okay. However, I do wonder if the ITS server is expecting the traffic in an encrypted connection. In other words, perhaps because the F5 is doing SSL off-load, perhaps the ITS server is not accepting the credentials. Most SSO systems can have pretty strict settings. Again, all speculation.
In speaking with my colleagues, there is also a theory that the cookie is encrypted or being encrypted, and throwing off the SSO system. Cookie encryption settings are in the HTTP profile section of the Virtual Server configuration.
In any case, to troubleshoot this issue, I would begin by taking a trace (Wireshark, tcpdump, etc) of the traffic going to the ITS server. This should be easy because the connection is not encrypted. You can do this on the BIG-IP (using TCPDUMP) or on the server, using wireshark or other tools. Then, check to see if the SSO cookie is making it to the server. If it's not, take a look at your rewrite, and perhaps look at an F5 BIG-IP iRule that will send the cookie as well.
If the cookie is making it to the server, then the issue may be that your SSO vendor is rejecting it, and looking at your logs on the server (as well as the SSO system) might prove useful in finding out why. You can also try to compare the cookie being sent with one that doesn't go through the F5 and that you know works, to try to narrow down the differences.
Hope this helps and please post back your findings!
-Nojan
Nimbostratus