Assuming we do this, where can we go and what's the best configuration? I have tried (and failed) with a simple HHTP profile alone.
At a minimum you need client and server SSL profiles applied to the VIP. The client SSL profile should have, at a minimum, the server cert and key. If you're performing mutual SSL auth, then you'll also need to apply a trusted CA bundle for the system to be able to validate client certificates. In most cases you can use either the default "serverssl" or insecure default serverssl profile on the server side. The insecure profile just disables the secure renegotiation requirement between the proxy and the server.
Also, in terms of load (cpu, memory) etc.. does SSL termination put much strain on an F5?... We're looking at the lower spec ones initially.
Keep in mind that a BIG-IP (usually) processes SSL in hardware, so the SSL performance is always going to be higher than that of any commodity server. The platform data sheet lists SSL performance, both TPS (handshake) and bulk crypto numbers.