How to configure 2 forest in Bigip APM

also dont want that any config has changed for domain1 because it is working.

Well, that's the thing. You can hard-code the user/domain information as I described for (temporary) troubleshooting purposes, or you can leave the config alone and attempt to troubleshoot through logs and captures. I can't tell, from what you've described, where exactly the problem is. I'm guessing that there might be a Kerberos cross-domain issue, so that's why I prescribed the above troubleshooting steps. The alternative is to gather captures from the client side of the BIG-IP (to watch NTLM traffic), from the server side of the BIG-IP (to watch Kerberos traffic), and attempt to correlate all that with APM and LTM logs.

Consider that APM is an authentication proxy. Client side authentication (in your case NTLM) produces a set of session variables if authentication is successful. Server side authentication (in your case Kerberos) consumes a set of session variables to do what it needs to do. Presumably (and again I'm not 100% sure of this), but your client side NTLM authentication is working for at least DOMAIN1 users, and potentially DOMAIN2 users. This produces a set of session variables that you can see in APM and session logs. I'm also assuming that Kerberos is working for DOMAIN1 users, so that information from the client side NTLM is plugging into the Kerberos SSO correctly. And that's where DOMAIN2 user information may be breaking. Of course I could be totally wrong and it's all simply working because DOMAIN1 users are passing NTLM tokens directly through the proxy, but I can't determine that without looking at captures.