irule to pass the client authentication certificate to pool member

Okay, so in a mutually authenticated SSL handshake, the client will send his certificate first, and then in a separate "certificate verify" message, send a piece of data that is digitally signed (encrypted with his private key). The server authenticates the client by first validating his certificate and then by validating the digital signature, whereby the server uses the client's public key to decrypt the message inside the digitally signed certificate verify message.

With that in mind, if a proxy decrypts that traffic, it CANNOT pass the client's certificate to the server side in a server side SSL handshake. And specifically, it cannot do that because it would not have access to the client's private key in order to generate the appropriate digital signature.

Once you've decrypted the traffic at the proxy, you have access to the certificate itself, and the x509 data within, which you can pass to the backend pool member as an HTTP header, or in some other supported form. But it cannot be in the server side SSL handshake.

F5's Access Policy Manager (APM) is great at handling this scenario because it can also convert that client side certificate auth to server side Kerberos auth, or other supported forms.