Hi Bob,
I think you could set TM.ContinueMatching database variable to true, configure a 0.0.0.0:80 virtual server and 0.0.0.0:443 virtual server with the redirects. If you have a single SSL cert valid for all of the HTTPS hostnames you could apply that in a client SSL profile to the HTTPS virtual server. If you don't, you could still use a client SSL profile, but clients would get prompted to accept the mismatched certificate. With all the HTTP/HTTPS virtual servers disabled, TMM should match those requests to the wildcard virtual servers and you can send a redirect from those using an iRule or fallback host.
For details on the TM.ContinueMatching variable you can check this SOL:
sol8009: Change in Behavior: The bigpipe db TM.ContinueMatching variable is now set to false
https://support.f5.com/kb/en-us/solutions/public/8000/000/sol8009.html
I'd test this on a test unit or virtual edition to make sure the process works before trying it on a production unit.
Aaron