How do I modify header fields on additional sockets?

CLIENTSSL_CLIENTCERT is triggered when BIG-IP receives certificate message from the client. I think it happens at the time of new SSL handshake process.

You can use a session table to store the client cert / subject field using client IP address as key. Later in the HTTP request when you see the client IP retrieve the value from the table and insert it in the header.

Check this out if it helps https://devcentral.f5.com/articles/irules-101-12-the-session-command